Security fix: XSS for onfocus/autofocus keyword and improved error handling
We have been working with Nicholas Lemonias from the Advanced Information Security Corporation and Nicholas has identified a low impact security vulnerability.
Please apply below fix as below:
Modify shop$db.asp
1a. Open shop$db.asp
1b. Locate below line within routine function CleanChars(strWords)
badChars = array("select ", "drop ", "--", "insert into", "delete from","xp_","char(","@@","|","<script",".js","onload","alert(","xss","onmouseover","document.cookie","convert(","<iframe","cast(","nvarchar","varchar","chr(","exec(","%00","expression(","onevent","onclick","echo ")
1c. change the code to:
badChars = array("select ", "drop ", "--", "insert into", "delete from","xp_","char(","@@","|","<script",".js","onload","alert(","xss","onmouseover","document.cookie","convert(","<iframe","cast(","nvarchar","varchar","chr(","exec(","%00","expression(","onevent","onclick","echo "," onfocus"," autofocus")
1d. Save
2. Apply better error handling
2a. Open shop$db.asp
2b. Locate the following line around line 1967
2c. Change to:
'702 - 2014.11.05 - Enhancement: Better handling if order unusual quantity on products
on error resume next
quantity=clng(quantity)
if err.number <> 0 then
quantity=1
end if
on error goto 0
2d. Save and test to ensure all is working properly.
Times Viewed:
4098
Added By:
bobby
Date Created:
11/5/2014
Last Updated:
11/11/2014