Failing PCI Compliance Due To Security Issues Through Live Helper Chat

Ash · 2016-10-28 12:55:56

The business I work for is all of a sudden failing their quarterly PCI compliance check due to your web-app.

The error we get is -

[== Undefined ==]
"Cross-site scripting vulnerability in r parameter to /live-help/index.php/chat/getstatus/(click)/internal/(position)/bottom_right/(ma)/br/(top)/350/(units)/pixels/(leaveamessage)/true"

Threat ID: web_prog_cgi_xssgeneric

Details: Several types of web servers and CGI programs include the user's request in their
response. For example, a request for the page http://server/nonexistent_page.html
may cause server to respond:
The page nonexistent_page.html does not
exist on this server.
By sending an HTTP request containing SCRIPT
tags to such a web server, it is possible to
cause the web server to return a page containing arbitrary commands
which are run by the client. While it is unlikely that
a user would deliberately send a request which would cause
this to happen, a user could be tricked into doing so by
following a specially-crafted link on another web server.
This vulnerability is known as cross-site scripting.
A web server which is vulnerable to cross-site scripting
could be exploited by a malicious web site to trick an
unsuspecting user into executing arbitrary commands on
his or her own computer. One possible outcome would be
for the attacker to steal cookies from the user's web browser, which often
contain authentication data that could be used to gain
unauthorized access to web applications.

How do we fix this issue?

Last edited by Ash (2016-10-28 12:56:17)

PeopleInside · 2016-10-28 13:37:41

Hi and thank you for your post.
You or someone else has already opened an Issue on GitHub at the following address:
https://github.com/LiveHelperChat/liveh … issues/929

You should wait a reply from the chat owner.
Thank you.

Last edited by PeopleInside (2016-10-28 13:41:17)

PeopleInside · 2016-10-28 16:52:50

Hi Ash,
the GitHub topic was created by you?

As I wrote on GitHub the study of this case can take some days so please be patient,
also if there will be other message to prioritize the resolution of this the time necessary will be remain the same.

If you need help here I AM, you can post here in the forum if you need info about update, in all case I will update here and on GitHub.

PeopleInside · 2016-10-31 19:11:20

Issue was resolved by the customer.

This was a false positive of the scanner PCI Compilance used by the customer,
no issue on LHC, no security Issue on LHC code.

Thank you!
https://github.com/LiveHelperChat/liveh … issues/929

Last edited by PeopleInside (2016-10-31 19:13:12)

Announcement

#1 2016-10-28 12:55:56

Failing PCI Compliance Due To Security Issues Through Live Helper Chat

#2 2016-10-28 13:37:41

Re: Failing PCI Compliance Due To Security Issues Through Live Helper Chat

#3 2016-10-28 16:52:50

Re: Failing PCI Compliance Due To Security Issues Through Live Helper Chat

#4 2016-10-31 19:11:20

Re: Failing PCI Compliance Due To Security Issues Through Live Helper Chat

Board footer