Cross site scripting vulnerability found in args:

  • Posts: 80
  • Thank you received: 0
9 years 7 months ago #197528

-- HikaShop version -- : HikaShop Business: 2.4.0
-- Joomla version -- : 3.4.1
-- PHP version -- : 5.3.13
-- Browser(s) name and version -- : Safari 8.04
-- Error-message(debug-mod must be tuned on) -- : Cross site scripting vulnerability found in args:Itemid

Greetings.
I just updated to Joomla 3.x from 2.5x. I have SiteLock on my site and they sent me the following message:

Cross site scripting vulnerability found in args:Itemid

The url is listed above privately.

There were 2 products listed.

After I received the message from SiteLock I upgraded HikaShop to the latest version. Is there a chance that the upgrade solved the problem? Site lock is offering to fix the problem for a fee, but I haven't looked into that yet. I am at a loss on how to fix it.

Thanks.

Please Log in or Create an account to join the conversation.

  • Posts: 26158
  • Thank you received: 4028
  • MODERATOR
9 years 7 months ago #197555

Hi,

The "Itemid" come from Joomla itself and there is no vulnerability in that parameter which just accept a number.
So, there is nothing to do ; except generating some URL with valid itemid so the url will be right SEF and won't contain a itemid visible as parameter.

Regards,

Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

  • Posts: 80
  • Thank you received: 0
9 years 7 months ago #197599

Hi Jerome,
Thanks for your reply. Can you provide a bit more information how to do the fix you recommend? I am not quite sure how to proceed.

Thanks.

Please Log in or Create an account to join the conversation.

  • Posts: 26158
  • Thank you received: 4028
  • MODERATOR
9 years 7 months ago #197643

Hi,

www.ostraining.com/blog/joomla/what-is-the-joomla-itemid/
( but it's not the only article which talk about the subject )

The fix I recommend is to use a HikaShop menu when you generate links for HikaShop ; otherwise you will have a "bad" url with an itemid in the parameters.

Regards,

Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

  • Posts: 80
  • Thank you received: 0
9 years 2 months ago #214670

Hopefully you can help. Site lock has de-authorized my site. Another url shows in front of my url when certain products are selected. I assume I need more help from a company that works with hacking, but is there anything else that I can try? Ugh.

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
9 years 2 months ago #214704

Hi,

I've checked your website but didn't see any URL issues with the products I tried.
The best, in case you've been hacked, is to contact sucuri: sucuri.net/

Please Log in or Create an account to join the conversation.

Time to create page: 0.059 seconds
Powered by Kunena Forum