XSS Inclusion error

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76473

Hello I'm having a report for xss inclusion coming from the hikashop e.g:

www.samplewebsite.com/products/category/32 ->"><script>alert(123)</script><"-leather-shoes.html

Please help I sure I'm not the only one out there.

Last edit: 11 years 11 months ago by provisualusa.

Please Log in or Create an account to join the conversation.

  • Posts: 26150
  • Thank you received: 4026
  • MODERATOR
11 years 11 months ago #76477

Hi,

Do you use HikaShop 2.0 ?

Regards,


Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76479

No yet. It is fixed?

Last edit: 11 years 11 months ago by provisualusa.

Please Log in or Create an account to join the conversation.

  • Posts: 82723
  • Thank you received: 13338
  • MODERATOR
11 years 11 months ago #76480

Yes, that has already been fixed and cannot be reproduced if you're using 2.0

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76481

What will happen to the modifications I've made for example to send notifications to 2 email address

Please Log in or Create an account to join the conversation.

  • Posts: 82723
  • Thank you received: 13338
  • MODERATOR
11 years 11 months ago #76484

If you've modified your emails or view files via the interface of HikaShop, you won't loose them.
You won't loose either your products or orders.

I still recommend you to do a backup of your website before with akeeba backup in case something goes wrong.

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76485

Thank you Nicolas. I'll try to replicate the issue after the update and see what happens :)

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76493

Nicolas the error still there. Just updated not changes. The update was successful I haven't make any changes. Let me know if I can pm so you can check by your self

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76494

Any sujection

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76495

Nicolas the error persist. McAfee is detecting this xss inclusion please advice.

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76498

Nicolas now is even works now it takes in the products you can inject javascript direct from the links

Please Log in or Create an account to join the conversation.

  • Posts: 82723
  • Thank you received: 13338
  • MODERATOR
11 years 11 months ago #76509

We are not able to reproduce the problem.

Please give an example on the demo website.

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76510

Can I send the link in private

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76512

Send you the link in pm

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76514

Did you get it. Please verify it

Please Log in or Create an account to join the conversation.

  • Posts: 26150
  • Thank you received: 4026
  • MODERATOR
11 years 11 months ago #76515

Hi,

There is no XSS security issue in HikaShop.
Your XSS breach came from your "tabber" extension.

Regards,


Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76516

if I disable Tabber it will go away

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76517

Do you know if there is any work around for this. Any help will be appriciated

Please Log in or Create an account to join the conversation.

  • Posts: 29
  • Thank you received: 0
11 years 11 months ago #76518

I sent you another link so you can check this one. This happens in the categories and Tabber is not present

Please Log in or Create an account to join the conversation.

  • Posts: 26150
  • Thank you received: 4026
  • MODERATOR
11 years 11 months ago #76519

Hi,

Solution 1 : Disable/Uninstall Tabber and use another tab system
Solution 2 : Contact the Tabber team/developer to have a fixed version of the extension.

Regards,


Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

Time to create page: 0.092 seconds
Powered by Kunena Forum