Causing a PCI scan failure Verify
Product: Srizon Facebook Album - Category: Something else - Ticket #2813

Ticket Posts (publicly viewable)

Afzal Hossain (Support) 1 week ago
Afzal Hossain avatar

I get it now. Actually it's not directly query string problem. Those 2 query strings are escaped and not the source of problem. However, In gallery view I'm appending the album id with the current url to generate individual album url. It seems you can pass scripts to the url as mentioned by your PCI scanner guys.

Fortunately google chrome is smart enough to detect and prevent the page load (not sure about other browsers).

I'm adding this issue to my todo list and will try to solve it next time I work with this plugin.

Jeff 2 weeks ago
Jeff avatar

And their response:

 

The issue is not that the query string parameters generated by the photo album plugin are vulnerable, but that an attacker can introduce an additional parameter with the XSS payload in the parameter name.  (One detail I didn't mention in my previous email is that when the payload is in a parameter value, Wordfence blocks the request and gives a 403 response.)

 

As a proof of concept, you can visit the following link in Firefox, IE or Edge and get an alert() box:

 

Added link in private post

Jeff 2 weeks ago
Jeff avatar

Thank you for the reply. This is all over my head, but I will pass this along to the person handling the scans and get their response.

Afzal Hossain (Support) 2 weeks ago
Afzal Hossain avatar

Hi,

As far as I can remember the plugin uses 2 query-string variable (one for pagination and one for showing individual album for gallery view). However, those values are not directly printed on html so if the user passes <script> tag within the query string it should not appear on the html code.

Jeff 2 weeks ago
Jeff avatar

Hello,

 

A site that we use the Pro version of this on just failed a PCI scan. The person performing the scan sent the follow message. Any thoughts on how to correct this? Thank you.

This issue is found on all pages that contain links to photo album pages.  These album links reflect the current URL’s query string, but HTML control characters in the query strings are not escaped.  Thus, by simply introducing the characters “><script> into the query string, an attacker can generate a link that will execute JavaScript in the browser as soon as the user clicks the link.  To fix the issue, you can escape all HTML control characters in query string parameter names and values when displaying the links to photo albums.  Alternatively, you can just omit the current page’s query string in these URLs and generate clean links instead.  It’s conceivable that that fix could cause other state information in the query string to be lost when a user clicks one of the photo album links, though.

 

Private Posts Section

Verify ownership of this ticket by providing the secret key for this ticket to view this area and add post/data to this ticket

Forgot the key?