PCI Compliance issues

Just had Vulnerability scan from Security Metrics. We failed on the following thing.

Description: MyBB member.php and newreply.php Multiple Cross Site Scripting Vulnerabilities Severity: Area of Concern CVE: CVE-2010-4522 Impact: Vulnerabilities in MyBB (also known as MyBulletinBoard) allow for SQL and HTML injection as well as detection and deletion of sensitive information in the SQL database. Additionally, myBB administrator passwords can be revealed. Resolution [http://www.mybboard.net/downloads.php] Upgrade MyBB to version 1.6.5 or higher. Vulnerability Details: Service: http Sent: GET /member.php?action=login&url=javascript: alert%28'SAINT'%29 HTTP/1.0 Host: http://(edit - removed) User-Agent: Mozilla/4.0 Connection: Keep-alive Received: <div class="option"> <a onclick="$('input[name=\'language_code\']' .attr('value', 'en'); $('#language_form').submit();"><img src="image/flags/gb.png" alt="English" />&nbsp;&nbsp;English</a> </div> </div> <div> <input type="hidden" name="language_code" value="" /> <input type="hidden" name="redirect" value="http://(edit -removed) i ndex.php?route=error/not_found&action=logi n&url=javascript:alert('SAINT')"

This is all the information i have. We do not use MyBB. The guy at security metrics has admitted its a false positive, however they won't drop the risk untill i give them a dispute statement explaining what we are doing to sanitize html and prevent XSS.
I am guessing that Opencart sanitizes html in the urls. Can anyone explain how, or give me anything that i can send to them to get them to sign everything off.

Just had a reply from SM. They said the following:
On the cross site scripting issue basically we are sending the request below and we are getting a 200 ok, or a positive response back.

GET /member.php?action=login&url=javascript:alert%28'SAINT'%29 HTTP/1.0
Host: http://edit-removed
User-Agent: Mozilla/4.0
Connection: Keep-alive

To correct this issue we really need you to explain why we get that 200 ok response, and what measures you have in place to protect again cross site scripting.

davidthurston wrote:GET /member.php?action=login&url=javascript:alert%28'SAINT'%29 HTTP/1.0
Host: http://edit-removed
User-Agent: Mozilla/4.0
Connection: Keep-alive

This isn't related to opencart. There is no "member.php" file or any call to "action" in the url
Seems like they are testing the wrong site, or the wrong path.

member.php does not exist on my server. I think what they are saying, is when they put do that GET request, they are getting a 200ok response, which i think is because of the soft 404 rewrite rule in .htaccess.

RewriteRule ^(.*)\?*$ index.php?_route_=$1 [L,QSA]

I think this means a 200ok response is given for anything, which is what they are picking up on

Always look up the CVE reference.

http://web.nvd.nist.gov/view/vuln/detai ... -2010-4522

This is a MyBulletinBoard specific issue. If you don't have MyBB installed then this is a false positive. If you do have it installed upgrade to the latest version.

I did check the CVE. It was clear from the start it was a false positive, as we don't and never have used MyBB. Regardless of this, i have to convince them why it is not an issue, else i get fined by the bank. I spoke to another member of staff there, and he has agreed to drop it based on the information i gave above. It was the fact they were getting a 200ok response from it that they wanted a dispute statement from me explaining why they are getting a 200ok.

On the plus side, that was the only apparent vulnerability they found, which was in fact incorrect. This is positive for both myself and opencart. I now have a certificate that proves what i knew anyway. My server is secure and so is opencart. Thanks for your replies, and thanks to the opencart team for making opencart secure and stable.

davidthurston wrote:t was the fact they were getting a 200ok response from it that they wanted a dispute statement from me explaining why they are getting a 200ok.

I'm not surprised. Most the low level support at PCI scanning companies seem to just read off a script.