Causing a PCI scan failure Resolved
Product: Srizon Facebook Album - Category: Something else - Ticket #2813

Ticket Posts (publicly viewable)

Jeff 1 month ago
Jeff avatar

Thanks for all the help. That seems to be working just fine. 

Afzal Hossain (Support) 1 month ago
Afzal Hossain avatar

After confirming the Tester invitation, you should be able to generate tokens from https://fb.srizon.com

Jeff 1 month ago
Jeff avatar

 Confirmed the notification. SHould I be looking for an email relating to the token?

Afzal Hossain (Support) 1 month ago
Afzal Hossain avatar

Check if there's any pending notification here: https://developers.facebook.com/requests

If you see an invitation to be a Tester for 'Srizon Album' accept it.

If you've already did that but still not working then we're facing an unknown problem or you denied some of the permission you were prompted with.

If you haven't received an invitation then I may have send the invitation to a wrong username. In that case share your username or profile link so that I can try adding you.

Note: Facebook isn't giving photo permission at this moment to live apps of this type. That's why I have to keep it in development mode and add the users of this plugin as a Tester.

Jeff 1 month ago
Jeff avatar

Sorry for the delay. Attempted this and it seemed to go as planned, but never received the email. When I try it now I receive:

App Not Setup: This app is still in development mode, and you don't have access to it. Switch to a registered test user or ask an app admin for permissions.

Afzal Hossain (Support) 1 month ago
Afzal Hossain avatar

It should be fixed now. Also the new version is a breaking change and requires you to sign up to fb.srizon.com for token generation (offloading token generation part from user to my site)

Afzal Hossain (Support) 2 months ago
Afzal Hossain avatar

I get it now. Actually it's not directly query string problem. Those 2 query strings are escaped and not the source of problem. However, In gallery view I'm appending the album id with the current url to generate individual album url. It seems you can pass scripts to the url as mentioned by your PCI scanner guys.

Fortunately google chrome is smart enough to detect and prevent the page load (not sure about other browsers).

I'm adding this issue to my todo list and will try to solve it next time I work with this plugin.

Jeff 2 months ago
Jeff avatar

And their response:

 

The issue is not that the query string parameters generated by the photo album plugin are vulnerable, but that an attacker can introduce an additional parameter with the XSS payload in the parameter name.  (One detail I didn't mention in my previous email is that when the payload is in a parameter value, Wordfence blocks the request and gives a 403 response.)

 

As a proof of concept, you can visit the following link in Firefox, IE or Edge and get an alert() box:

 

Added link in private post

Jeff 2 months ago
Jeff avatar

Thank you for the reply. This is all over my head, but I will pass this along to the person handling the scans and get their response.

Afzal Hossain (Support) 2 months ago
Afzal Hossain avatar

Hi,

As far as I can remember the plugin uses 2 query-string variable (one for pagination and one for showing individual album for gallery view). However, those values are not directly printed on html so if the user passes <script> tag within the query string it should not appear on the html code.

Jeff 2 months ago
Jeff avatar

Hello,

 

A site that we use the Pro version of this on just failed a PCI scan. The person performing the scan sent the follow message. Any thoughts on how to correct this? Thank you.

This issue is found on all pages that contain links to photo album pages.  These album links reflect the current URL’s query string, but HTML control characters in the query strings are not escaped.  Thus, by simply introducing the characters “><script> into the query string, an attacker can generate a link that will execute JavaScript in the browser as soon as the user clicks the link.  To fix the issue, you can escape all HTML control characters in query string parameter names and values when displaying the links to photo albums.  Alternatively, you can just omit the current page’s query string in these URLs and generate clean links instead.  It’s conceivable that that fix could cause other state information in the query string to be lost when a user clicks one of the photo album links, though.

 

Private Posts Section

Verify ownership of this ticket by providing the secret key for this ticket to view this area and add post/data to this ticket

Forgot the key?