Hi,

My website failed a merchant security test because the formmail.php is vulnerable to "cross site scripting." Is this because of my settings or the original php script? I'm not too savvy in solving this one so I appreciate any help! (please, please ;-)

Otherwise, I would have to find another mail script to use, as it's important that my site passes this test. It passed 6 months ago with no mention of the php script.

Test RESULTS:
Possible cross site scripting on <code removed>

Hi,

On face value of the test, it appears there is a problem.

I'll look into it and get back to you as soon as know something definitive.

Hi,

Just finishing off this thread...

There was an XSS vulnerability in FormMail and it has been fixed and released in version 8.11.

I don't believe that the issue is fixed. I used this form on my site, and ended up infected handing out trojans. I installed very secure shopping cart software, and because I am still writing templates for the cart I overwrote the gateway file to the cart. That means that there is no access to any of the shopping cart files at all. I put up a few html files, one as a form using tectite and a regular in a forum let me know my site was hacked. Someone injected javascript into my html pages.

Is there any way to secure the text fields of the form by scrubbing the user input so that they can not place scripts into them?

Hi,


Someone injected javascript into my html pages.

That could not have happened with Tectite FormMail.

If you look at your HTML and there's code in there that you haven't put in, it didn't come from a vulnerability of Tectite FormMail.

XSS is quite different to that.

Please read the information on this page to see the limited circumstances required to be affected by this XSS problem: http://www.tectite.com/formmailsecurity.php

In particular, it doesn't change *your* HTML pages at all.



Is there any way to secure the text fields of the form by scrubbing the user input so that they can not place scripts into them?That logic has been in Tectite FormMail since day 1. The user input is treated appropriately and scripts cannot be run from user input.

Unfortunately, security is a complex area and you really need to have a good understanding of both the possible vectors for attack, the technology of the web, and the actual attack you've had.

Just because you've been attacked, it doesn't mean that our product is responsible for it.

However, if you can demonstrate any actual problem, we're most happy to hear about it and will act accordingly. :)