View Full Version : Is form vulnerable to cross site scripting?
29-Nov-2008, 06:38 PM
My website failed a merchant security test because the formmail.php is vulnerable to "cross site scripting." Is this because of my settings or the original php script? I'm not too savvy in solving this one so I appreciate any help! (please, please ;-)
Otherwise, I would have to find another mail script to use, as it's important that my site passes this test. It passed 6 months ago with no mention of the php script.
Possible cross site scripting on <code removed>
29-Nov-2008, 09:30 PM
On face value of the test, it appears there is a problem.
I'll look into it and get back to you as soon as know something definitive.
16-Dec-2008, 09:58 PM
Just finishing off this thread...
There was an XSS vulnerability in FormMail and it has been fixed and released in version 8.11.
14-Apr-2009, 05:43 PM
Is there any way to secure the text fields of the form by scrubbing the user input so that they can not place scripts into them?
15-Apr-2009, 02:01 AM
That could not have happened with Tectite FormMail.
If you look at your HTML and there's code in there that you haven't put in, it didn't come from a vulnerability of Tectite FormMail.
XSS is quite different to that.
Please read the information on this page to see the limited circumstances required to be affected by this XSS problem: http://www.tectite.com/formmailsecurity.php
In particular, it doesn't change *your* HTML pages at all.
Is there any way to secure the text fields of the form by scrubbing the user input so that they can not place scripts into them?That logic has been in Tectite FormMail since day 1. The user input is treated appropriately and scripts cannot be run from user input.
Unfortunately, security is a complex area and you really need to have a good understanding of both the possible vectors for attack, the technology of the web, and the actual attack you've had.
Just because you've been attacked, it doesn't mean that our product is responsible for it.
However, if you can demonstrate any actual problem, we're most happy to hear about it and will act accordingly. :)
Powered by vBulletin® Version 4.1.4 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.