Ticket Posts (publicly viewable)
Thanks for all the help. That seems to be working just fine.
After confirming the Tester invitation, you should be able to generate tokens from https://fb.srizon.com
Confirmed the notification. SHould I be looking for an email relating to the token?
Check if there's any pending notification here: https://developers.facebook.com/requests
If you see an invitation to be a Tester for 'Srizon Album' accept it.
If you've already did that but still not working then we're facing an unknown problem or you denied some of the permission you were prompted with.
If you haven't received an invitation then I may have send the invitation to a wrong username. In that case share your username or profile link so that I can try adding you.
Note: Facebook isn't giving photo permission at this moment to live apps of this type. That's why I have to keep it in development mode and add the users of this plugin as a Tester.
Sorry for the delay. Attempted this and it seemed to go as planned, but never received the email. When I try it now I receive:
App Not Setup: This app is still in development mode, and you don't have access to it. Switch to a registered test user or ask an app admin for permissions.
It should be fixed now. Also the new version is a breaking change and requires you to sign up to fb.srizon.com for token generation (offloading token generation part from user to my site)
I get it now. Actually it's not directly query string problem. Those 2 query strings are escaped and not the source of problem. However, In gallery view I'm appending the album id with the current url to generate individual album url. It seems you can pass scripts to the url as mentioned by your PCI scanner guys.
Fortunately google chrome is smart enough to detect and prevent the page load (not sure about other browsers).
I'm adding this issue to my todo list and will try to solve it next time I work with this plugin.
And their response:
The issue is not that the query string parameters generated by the photo album plugin are vulnerable, but that an attacker can introduce an additional parameter with the XSS payload in the parameter name. (One detail I didn't mention in my previous email is that when the payload is in a parameter value, Wordfence blocks the request and gives a 403 response.)
As a proof of concept, you can visit the following link in Firefox, IE or Edge and get an alert() box:
Added link in private post
Thank you for the reply. This is all over my head, but I will pass this along to the person handling the scans and get their response.
As far as I can remember the plugin uses 2 query-string variable (one for pagination and one for showing individual album for gallery view). However, those values are not directly printed on html so if the user passes <script> tag within the query string it should not appear on the html code.
A site that we use the Pro version of this on just failed a PCI scan. The person performing the scan sent the follow message. Any thoughts on how to correct this? Thank you.