We're getting PCI security alerts on the Cherry web engine. Is there some method of resolving this issue - i.e. install a later version of the web engine?
Thanks,
Bill
Here's the alert:
Server IP = X.X.X.X
THREAT:When the service made an HTTP request for a CGI file that was found to exist on the Web server host, the Web server returned an HTTP redirection page containing unsanitized user-supplied input to at least one of the CGI file's parameters. Thus the host is vulnerable to cross-site scripting attacks.
A list of CGI vulnerable files can be found in the Result section below.
IMPACT:By exploiting this vulnerability, malicious scripts could be executed in a client browser which processes the content of an HTTP redirection page returned by the Web server.
SOLUTION:Contact the vendor/author of the CGI file(s) for a solution to this issue.
RESULTS:GET /en-US/search?client="><script>alert(document.domain)</script>&site="><script>alert(document.domain)</script>&output="><script>alert(document.domain)</script>&q="><script>alert(document.domain)</script>&proxystylesheet="><script>alert(document.domain)</script> HTTP/1.1 Host: X.X.X.X:8000
HTTP/1.1 303 See Other Date: Wed, 04 Jul 2012 19:12:56 GMT Content-Length: 618 Content-Type: text/html;charset=utf-8 Location: http://X.X.X.X:8000/en-US/search/?client="><script>alert(document.domain)</script>&site="><script>alert(document.domain)</script>&output="><script>alert(document.domain)</script>&q="><script>alert(document.domain)</script>&proxystylesheet="><script>alert(document.domain)</script> Server: CherryPy/3.1.2 Set-Cookie: session_id_8000=b35a7fbfe22ca405f9db492b63aa1544f6aa0846; expires=Thu, 05 Jul 2012 19:12:56 GMT; httponly; Path=/
This resource can be found at http://X.X.X.X:8000/en-US/search/?client="><script>alert(document.domain)</script>&site="><script>alert(document.domain)</script>&output="><script>alert(document.domain)</script>&q="><script>alert(document.domain)</script>&proxystylesheet="><script>alert(document.domain)</script></a