livehelperchat: Failing PCI Compliance Due To Security Issues Through Live Helper Chat

Finally this issue has been fixed. After 4 days of calling them asking them to run a test to check if it’s a false positive or not, they finally freaking removed it. I told them I wasn’t going off the phone until they tested it, nearly an hour later they decide it’s a false positive and it’s been removed.

Thanks for your help guys, apologies for the issues. ControlScan are annoying.

That was me, sorry for the double post.

I contacted ControlScan on Friday, they said they’ll look into it and get back to me (They never did) so I called back and they told me to call back Monday. I’ll call them this afternoon and see if they’ve made any progress on figuring out why it lists it as a high risk.

Hopefully we can get through to them somehow.

I’ll check this report, but i’m not sure i can do anything there because r is just referer address if i remember well. So what should i do?

On Friday, 28 October 2016, CSGODeimos notifications@github.com wrote:

The business I work for is all of a sudden failing their quarterly PCI compliance check due to your web-app.

The error we get is - “Cross-site scripting vulnerability in r parameter to /live-help/index.php/chat/getstatus/(click)/internal/(position)/bottom_right/(ma)/br/(top)/350/(units)/pixels/(leaveamessage)/true”

Threat ID: web_prog_cgi_xssgeneric

Details: Several types of web servers and CGI programs include the user’s request in their response. For example, a request for the page http://server/nonexistent_page.html may cause server to respond: The page nonexistent_page.html does not exist on this server. By sending an HTTP request containing SCRIPT tags to such a web server, it is possible to cause the web server to return a page containing arbitrary commands which are run by the client. While it is unlikely that a user would deliberately send a request which would cause this to happen, a user could be tricked into doing so by following a specially-crafted link on another web server. This vulnerability is known as cross-site scripting. A web server which is vulnerable to cross-site scripting could be exploited by a malicious web site to trick an unsuspecting user into executing arbitrary commands on his or her own computer. One possible outcome would be for the attacker to steal cookies from the user’s web browser, which often contain authentication data that could be used to gain unauthorized access to web applications.

How do we fix this issue?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/LiveHelperChat/livehelperchat/issues/929, or mute the thread https://github.com/notifications/unsubscribe-auth/ABF85Wj0UPrC8oEWFxCEEZV04DD_NgKhks5q4e_RgaJpZM4KjZ-U .

Sincerely, Remigijus Kiminas