Community Support Forums — WordPress® ( Users Helping Users ) — 2011-12-20T20:16:10-05:00 http://www.primothemes.com/forums/feed.php?f=4&t=16173 2011-12-20T20:16:10-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=58327#p58327 <![CDATA[Re: PCI Compliance Script Issues]]> ~ You're very welcome.

100% Resolved

Statistics: Posted by Jason Caldwell — December 20th, 2011, 8:16 pm


]]>
2011-12-20T20:04:23-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=58326#p58326 <![CDATA[Re: PCI Compliance Script Issues]]>
Jeremy

Statistics: Posted by jfmetcalf1 — December 20th, 2011, 8:04 pm


]]>
2011-12-20T17:31:57-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=58318#p58318 <![CDATA[Re: PCI Compliance Script Issues]]>

Jeremy

Statistics: Posted by jfmetcalf1 — December 20th, 2011, 5:31 pm


]]>
2011-12-20T11:36:59-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=58269#p58269 <![CDATA[Re: PCI Compliance Script Issues]]> Resolved in s2Member and s2Member Pro v111220.
http://wordpress.org/extend/plugins/s2member/changelog/

v111220

(s2Member Pro) Security fix. PayPal® Pro and Authorize.Net® Forms were vulnerable to an XSS attack, reproducible with a Coupon Code containing special characters. Discovered by ControlScan™. Fixed in this release. For further details, please see this thread.

(s2Member Pro) Security hardening. s2Member's Systematics routine hardended against a possible attack coming from a spoofed IP address matching that of the installation server itself. For further details, please see this thread.

(s2Member Pro) Security hardening. PayPal® Pro and Authorize.Net® Forms hardended against a possible attack against card types. Discovered by ControlScan™. For further details, please see this thread.

99% Resolved ( awaiting confirmation )

Statistics: Posted by Jason Caldwell — December 20th, 2011, 11:36 am


]]>
2011-12-20T08:52:58-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=57043#p57043 <![CDATA[Re: PCI Compliance Script Issues]]> Investigation completed.
Thanks for reporting this important issue.

1. Proxy Coupon Code with special chars.
Fixed in development copy. Coming in release of 111220 later today.

2. Card Type = Amex, against accept attribute.
Fixed in development copy. Coming in release of 111220 later today.

Statistics: Posted by Jason Caldwell — December 20th, 2011, 8:52 am


]]>
2011-12-20T06:41:49-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=57033#p57033 <![CDATA[Re: PCI Compliance Script Issues]]> Statistics: Posted by Jason Caldwell — December 20th, 2011, 6:41 am


]]>
2011-12-19T22:22:51-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=56982#p56982 <![CDATA[Re: PCI Compliance Script Issues]]>
Jeremy



I have attached proof of concept that the cross-site scripting threat is legitimate. I was able to pop it on the www.protectanddefend.org/member-registration pageJust some background information that may assist your developers, I was able to manually verify the cross-site scripting by using a proxy and intercepting the request. Once I intercepted the request, I was able to change the s2member_pro_authnet_checkout[card_type] to "Amex" (American Express isn't one of the selectable options originally) and I was also able to insert the script into the s2member_pro_authnet_checkout[coupon] parameter.

Chris Martin
Sr. Security Analyst
ControlScan, Inc.

Statistics: Posted by jfmetcalf1 — December 19th, 2011, 10:22 pm


]]>
2011-12-18T12:42:05-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=56824#p56824 <![CDATA[Re: PCI Compliance Script Issues]]>
Jeremy

Statistics: Posted by jfmetcalf1 — December 18th, 2011, 12:42 pm


]]>
2011-12-18T11:18:54-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=56816#p56816 <![CDATA[Re: PCI Compliance Script Issues]]> Thanks for the follow-up.

I'm not aware of any issue in this regard. All of these variables are sanitized by s2Member before they are used and/or displayed back to the user. Your report indicates otherwise. If you have more information you can provide, we'll be happy to have a look. This list just shows the variables, it doesn't show the vulnerability being reproduced yet. I suspect this is a false positive.
Code:
• s2member_pro_authnet_checkout[card_start_date_issue_number] -
• s2member_pro_authnet_checkout[card_number] -
• s2member_pro_authnet_checkout[card_verification] -
• s2member_pro_authnet_checkout[first_name] -
• s2member_pro_authnet_checkout[city] -
• s2member_pro_authnet_checkout[email] -
• s2member_pro_authnet_checkout[username] -
• s2member_pro_authnet_checkout[last_name] -
• s2member_pro_authnet_checkout[state] -
• s2member_pro_authnet_checkout[street] -
• s2member_pro_authnet_checkout[card_expiration] -
• s2member_pro_authnet_checkout[card_type] - Amex
• s2member_pro_authnet_checkout[zip] -
• s2member_pro_authnet_checkout[attr] - fnIyOnpzemxGcHAweTBRZ3dDcnBVNXBlS3h3VnAwUEZSbmdxfHY4vzbG8zG1HqGghS4C92GV43VRKFftAc5MyQI_mDEZaBmIN4p7
• s2member_pro_authnet_checkout[password2] -
• s2member_pro_authnet_checkout[coupon] - '">
• s2member_pro_authnet_checkout[nonce] - b45185b09d
• s2member_pro_authnet_checkout[password1]

Statistics: Posted by Jason Caldwell — December 18th, 2011, 11:18 am


]]>
2011-12-17T19:29:16-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=56788#p56788 <![CDATA[Re: PCI Compliance Script Issues]]>

Port Threat Name Risk Level Dispute Status Actions
30000480Cross-Site ScriptingHigh (3)
Threat ID: 300004
Details:
IP Address: 50.56.134.155
Host: www.protectanddefend.org
Path: /member-registration

THREAT REFERENCE

Summary:
Cross-Site Scripting

Risk: High (3)
Type: Fritko
Port: 80
Protocol: TCP
Threat ID: 300004

Information From Target:
Regular expression ".{0,1}'.{0,1}"> " matched contents of /member-registration.

Query Parameters
•s2member_pro_authnet_checkout[card_start_date_issue_number] -
•s2member_pro_authnet_checkout[card_number] -
•s2member_pro_authnet_checkout[card_verification] -
•s2member_pro_authnet_checkout[first_name] -
•s2member_pro_authnet_checkout[city] -
•s2member_pro_authnet_checkout[email] -
•s2member_pro_authnet_checkout[username] -
•s2member_pro_authnet_checkout[last_name] -
•s2member_pro_authnet_checkout[state] -
•s2member_pro_authnet_checkout[street] -
•s2member_pro_authnet_checkout[card_expiration] -
•s2member_pro_authnet_checkout[card_type] - Amex
•s2member_pro_authnet_checkout[zip] -
•s2member_pro_authnet_checkout[attr] - fnIyOnpzemxGcHAweTBRZ3dDcnBVNXBlS3h3VnAwUEZSbmdxfHY4vzbG8zG1HqGghS4C92GV43VRKFftAc5MyQI_mDEZaBmIN4p7
•s2member_pro_authnet_checkout[password2] -
•s2member_pro_authnet_checkout[coupon] - '">
•s2member_pro_authnet_checkout[nonce] - b45185b09d
•s2member_pro_authnet_checkout[password1] -
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.Details:

XSS is a type of computer security vulnerability typically found
in web applications which allow code injection by malicious web
users into the web pages viewed by other users. Examples of such
code include HTML code and client-side scripts.


An attacker can use this vulnerability to completely alter the
layout of a particular page for a specific user or to force the
user to launch malicious javascript.


Cross site scripting occurs when user input is not properly
encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode
most non-alphanumeric user-supplied data into their corresponding
HTML characters before the data is displayed back to the user. For
example, " would convert to &quot and < would convert
to &lt;


There are built in functions for different languages that may do
the encoding for you. In PHP you can use the htmlspecialchars()
function In .Net you can use the Server.HtmlEncode() function.

Statistics: Posted by jfmetcalf1 — December 17th, 2011, 7:29 pm


]]>
2011-12-10T00:38:46-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=56180#p56180 <![CDATA[Re: PCI Compliance Script Issues]]> Thanks for the heads up on this thread.
~ and thanks for reporting this important security issue.

Interesting. s2Member does not interact with this service:
Code:
Web Services :: Fritko

What PCI scanning service are you using please?
Also, what you posted prior is a general outline of the issue that was detected. It does not point to anything specific, nor does it isolate the issue to s2Member. Please check your full PCI compliance scan and associated reports. Look for the exact test your scanning service performed, which would allow you to reproduce the issue. For XSS, this would normally include a URL with a particular query string.
Code:
Path: /member-registration
( not enough to go on )

* Note: we are not currently aware of any XSS vulnerability in s2Member or s2Member Pro. However, if you have a report that indicates there is, please post that information. We'll be happy to review it.

Statistics: Posted by Jason Caldwell — December 10th, 2011, 12:38 am


]]>
2011-12-09T05:27:05-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=56143#p56143 <![CDATA[Re: PCI Compliance Script Issues]]> Statistics: Posted by jfmetcalf1 — December 9th, 2011, 5:27 am


]]>
2011-12-06T05:03:41-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=54642#p54642 <![CDATA[Re: PCI Compliance Script Issues]]> Statistics: Posted by jfmetcalf1 — December 6th, 2011, 5:03 am


]]>
2011-12-04T06:22:14-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=54532#p54532 <![CDATA[Re: PCI Compliance Script Issues]]>
Cross-Site Scripting
Web Services :: Fritko
ID
300004
Port
TCP:80
Risk
3
Path: /member-registration
XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious
web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the layout of a particular page for a specific user or to force the user
to launch malicious javascript.
Cross site scripting occurs when user input is not properly encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode most non-alphanumeric user-supplied data into their
corresponding HTML characters before the data is displayed back to the user. For example, " would convert to &quot and <
would convert to &lt;
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.

Statistics: Posted by jfmetcalf1 — December 4th, 2011, 6:22 am


]]>
2011-12-04T02:02:40-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=54501#p54501 <![CDATA[Re: PCI Compliance Script Issues]]>

Statistics: Posted by Cristián Lávaque — December 4th, 2011, 2:02 am


]]>
2011-12-02T22:35:11-05:00 http://www.primothemes.com/forums/viewtopic.php?t=16173&p=54457#p54457 <![CDATA[PCI Compliance Script Issues]]>
Here is a copy of part of the scan that involved s2Member Pro

XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious
web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the layout of a particular page for a specific user or to force the user
to launch malicious javascript.
Cross site scripting occurs when user input is not properly encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode most non-alphanumeric user-supplied data into their
corresponding HTML characters before the data is displayed back to the user. For example, " would convert to &quot and <
would convert to &lt;
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.


Please reach out as soon as you can.

Thanks,
Jeremy

Statistics: Posted by jfmetcalf1 — December 2nd, 2011, 10:35 pm


]]>