9.0.8 - "pci compliance" scan on our site

Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Error

9.0.8 - "pci compliance" scan on our site

Options

Previous Topic Next Topic

charles25686713		#1 Posted : Wednesday, May 10, 2023 11:34:47 AM(UTC)
Rank: Advanced Member Groups: Authorized User, Developers Joined: 7/1/2022(UTC) Posts: 64 Thanks: 5 times Was thanked: 1 time(s) in 1 post(s)		FYI, 30 pages of stuff like this showed up in our logs from a "pci compliance" scan on our AC site last night. --- An error has occured at /Checkout/_ItemAddedNotify Exception: The parameters dictionary contains a null entry for parameter 'allowDisplay' of non-nullable type 'System.Boolean' for method 'System.Web.Mvc.ActionResult _ItemAddedNotify(Boolean)' in 'AbleCommerce.Controllers.CheckoutController'. An optional parameter must be a reference type, a nullable type, or be declared as an optional parameter. Parameter name: parameters Stack Trace: at System.Web.Mvc.ActionDescriptor.ExtractParameterFromDictionary(ParameterInfo parameterInfo, IDictionary`2 parameters, MethodInfo methodInfo) at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass24_0.<InvokeActionMethodWithFilters>b__0() at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) at System.Web.Mvc.Controller.ExecuteCore() at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) at System.Web.Mvc.Async.AsyncResultWrapper.<>c.<.cctor>b__15_0(IAsyncResult asyncResult, Action action) at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) --- --- An error has occured at /Login?ReturnUrl=<%2Fscript><script>function(){qxssDAZer1L2}%3B<%2Fscript> Exception: A potentially dangerous Request.QueryString value was detected from the client (ReturnUrl="</script><script>fun..."). Stack Trace: at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) at System.Web.HttpValueCollection.EnsureKeyValidated(String key) at System.Web.HttpValueCollection.GetValues(String name) at System.Web.Mvc.NameValueCollectionValueProvider.ValueProviderResultPlaceholder.GetResultFromCollection(String key, NameValueCollection collection, CultureInfo culture) at System.Web.Mvc.NameValueCollectionValueProvider.GetValue(String key, Boolean skipValidation) at System.Web.Mvc.ValueProviderCollection.GetValue(String key, Boolean skipValidation) at System.Web.Mvc.DefaultModelBinder.BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext) at System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) at System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) at System.Web.Mvc.Controller.ExecuteCore() at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) at System.Web.Mvc.Async.AsyncResultWrapper.<>c.<.cctor>b__15_0(IAsyncResult asyncResult, Action action) at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.Mvc.HttpHandlerUtil.ServerExecuteHttpHandlerWrapper.<>c__DisplayClass5_0.<Wrap>b__0() at System.Web.Mvc.HttpHandlerUtil.ServerExecuteHttpHandlerWrapper.Wrap[TResult](Func`1 func) at System.Web.HttpServerUtility.ExecuteInternal(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage, VirtualPath path, VirtualPath filePath, String physPath, Exception error, String queryStringOverride) --- I can give a dev more if they are interested? --- An error has occured at /Art?page=4"SortExpression%3DIsFeatured DESC%2C OrderBy ASC%2C Name ASC"PageSize%3D12"><DIV STYLE%3D"width%3Aexpression(qssJ7063mL6%3D7)"> Exception: A potentially dangerous Request.QueryString value was detected from the client (page="...eSize=12"><DIV STYLE="width:ex..."). Stack Trace: at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) at System.Web.HttpValueCollection.EnsureKeyValidated(String key) at System.Web.HttpValueCollection.GetValues(String name) at System.Web.Mvc.NameValueCollectionValueProvider.ValueProviderResultPlaceholder.GetResultFromCollection(String key, NameValueCollection collection, CultureInfo culture) at System.Web.Mvc.NameValueCollectionValueProvider.GetValue(String key, Boolean skipValidation) at System.Web.Mvc.ValueProviderCollection.GetValue(String key, Boolean skipValidation) at System.Web.Mvc.DefaultModelBinder.BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext) at System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) at System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) at System.Web.Mvc.Controller.ExecuteCore() at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) at System.Web.Mvc.Async.AsyncResultWrapper.<>c.<.cctor>b__15_0(IAsyncResult asyncResult, Action action) at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.Mvc.HttpHandlerUtil.ServerExecuteHttpHandlerWrapper.<>c__DisplayClass5_0.<Wrap>b__0() at System.Web.Mvc.HttpHandlerUtil.ServerExecuteHttpHandlerWrapper.Wrap[TResult](Func`1 func) at System.Web.HttpServerUtility.ExecuteInternal(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage, VirtualPath path, VirtualPath filePath, String physPath, Exception error, String queryStringOverride) --- --- An error has occured at /Essential-Oils?page=<EMBED SRC%3D%2F%2Flocalhost%2Fqb0yQi8O5.swf AllowScriptAccess%3Dalways><%2FEMBED> Exception: A potentially dangerous Request.QueryString value was detected from the client (page="<EMBED SRC=//localho..."). Stack Trace: at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) at System.Web.HttpValueCollection.EnsureKeyValidated(String key) at System.Web.HttpValueCollection.GetValues(String name) at System.Web.Mvc.NameValueCollectionValueProvider.ValueProviderResultPlaceholder.GetResultFromCollection(String key, NameValueCollection collection, CultureInfo culture) at System.Web.Mvc.NameValueCollectionValueProvider.GetValue(String key, Boolean skipValidation) at System.Web.Mvc.ValueProviderCollection.GetValue(String key, Boolean skipValidation) at System.Web.Mvc.DefaultModelBinder.BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext) at System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) at System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) at System.Web.Mvc.Controller.ExecuteCore() at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) at System.Web.Mvc.Async.AsyncResultWrapper.<>c.<.cctor>b__15_0(IAsyncResult asyncResult, Action action) at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.Mvc.HttpHandlerUtil.ServerExecuteHttpHandlerWrapper.<>c__DisplayClass5_0.<Wrap>b__0() at System.Web.Mvc.HttpHandlerUtil.ServerExecuteHttpHandlerWrapper.Wrap[TResult](Func`1 func) at System.Web.HttpServerUtility.ExecuteInternal(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage, VirtualPath path, VirtualPath filePath, String physPath, Exception error, String queryStringOverride) --- --- An error has occured at /Art?page=%00<script>_q%3Drandom(X2985998364Y1_1Z)<%2Fscript> Exception: A potentially dangerous Request.QueryString value was detected from the client (page="<script>_q=random(X2..."). Stack Trace: at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) at System.Web.HttpValueCollection.EnsureKeyValidated(String key) at System.Web.HttpValueCollection.GetValues(String name) at System.Web.Mvc.NameValueCollectionValueProvider.ValueProviderResultPlaceholder.GetResultFromCollection(String key, NameValueCollection collection, CultureInfo culture) at System.Web.Mvc.NameValueCollectionValueProvider.GetValue(String key, Boolean skipValidation) at System.Web.Mvc.ValueProviderCollection.GetValue(String key, Boolean skipValidation) at System.Web.Mvc.DefaultModelBinder.BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext) at System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) at System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) at System.Web.Mvc.Controller.ExecuteCore() at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) at System.Web.Mvc.Async.AsyncResultWrapper.<>c.<.cctor>b__15_0(IAsyncResult asyncResult, Action action) at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.Mvc.HttpHandlerUtil.ServerExecuteHttpHandlerWrapper.<>c__DisplayClass5_0.<Wrap>b__0() at System.Web.Mvc.HttpHandlerUtil.ServerExecuteHttpHandlerWrapper.Wrap[TResult](Func`1 func) at System.Web.HttpServerUtility.ExecuteInternal(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage, VirtualPath path, VirtualPath filePath, String physPath, Exception error, String queryStringOverride) --- Charles


User Profile View All Posts by User View Thanks


	Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Katie S		#2 Posted : Wednesday, May 10, 2023 12:56:34 PM(UTC)
Rank: Advanced Member Groups: System, Administrators, Developers, Registered, HelpDesk Joined: 10/29/2018(UTC) Posts: 430 Thanks: 4 times Was thanked: 34 time(s) in 33 post(s)		The PCI scan is looking for vulnerabilities in the code, so it is intentionally trying to insert bad code to see if the AbleCommerce code will reject it. Since we don't suppress those attempts, these scans generate lots of errors in the log file. Nothing to be worried about...
		Thanks for your support! Katie Secure eCommerce Software and Hosting


User Profile View All Posts by User View Thanks

charles25686713		#3 Posted : Wednesday, May 10, 2023 1:09:16 PM(UTC)
Rank: Advanced Member Groups: Authorized User, Developers Joined: 7/1/2022(UTC) Posts: 64 Thanks: 5 times Was thanked: 1 time(s) in 1 post(s)		Thanks, I understood what was happening. It was FYI, to show you some of what hammering occurs for a scan.


User Profile View All Posts by User View Thanks

Users browsing this topic
Guest

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Privacy Policy | Powered by YAF.NET 2.2.4.14 | YAF.NET © 2003-2024, Yet Another Forum.NET
This page was generated in 0.173 seconds.

Important Information: The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies. More Details Close