Improve company productivity with a Business Account.Sign Up

x
?
Solved

How to fix - The remote web server is prone to cross-site scripting attacks

Posted on 2009-07-02
2
Medium Priority
?
2,445 Views
Last Modified: 2013-12-04
I am running a website on a Windows Server 2008. My client ran a PCI Audit and Failed.

This is the failing point:

Error:  TCP, port 80, http
Synopsis : The remote web server is prone to cross-site scripting attacks. Description : The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. See also : http://en.wikipedia.org/wiki/Cross-site_ scripting Solution: Contact the vendor for a patch or upgrade. Risk Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 BID : 5305, 7344, 7353, 8037, 14473, 17408 Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 [More]

I have not been able to fix the issue. The website is Build with DotNetNuke 5.

Server Specs:
Windows Server 2008 Standard (32-bit)
Service Pack 1

How can i fix the problem so I can pass the PCI Audit?
0
Comment
Question by:Benjamin_
2 Comments
 
LVL 5

Expert Comment

by:iUsername
ID: 24768386
XSS (cross site scripting) is a web application vulnerability, and to fix this vulnerability you simply need to VALIDATE THE INPUT.
0
 
LVL 12

Accepted Solution

by:
jahboite earned 1000 total points
ID: 24771874
In order to fix this problem. you'll need to review the code for areas where the application accepts input from an untrusted source (user input, third party data...) and then displays that input back to the user.  You're looking for cases where the input is not validated and the corresponding output is not properly escaped.

I suggest the following page as an excellent jump-off point for understanding XSS and there also you'll find further references to help you understand and prevent XSS in your applications:

http://www.owasp.org/index.php/Cross_site_scripting
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question