Forums

We have a form that is failing a McAfee PCI scan saying that the form is susceptible to PHP Code Injection. They recommend validating the form or failing that, sanitizing it.

We have tried to do this several times on our own, but have failed. Would appreciate some professional help on this one and we are more than willing to pay for it.

Hi slocke,

What exactly do you need to validate/sanitize. It should be pretty straightforward to add the code you need in the Custom Serverside Validation action. Possibly the Auto Serverside Validation action will do it for you?

Bob

The form is here:

https://www.dsinet.com/services-offered/gateway-services

This is the information we get from McAfee when it fails PCI:

GET /index.php?option=com_content&view=article&id=3:"'><?php%20print(1234567890*27);?>-merchant-account-services-offered-to-our-customers&catid=2:uncategorised&Itemid=109 HTTP/1.1
Referer : https://www.dsinet.com/index.php?option=com_content&view=article&id=3&Itemid=109
Cookie : 8c64b66c0d364bbaa588fefc8c4defc8=23c262832650131d9d0d36767295a51b
Cookie : 4531f7e2f27ddd5cd1e0cf7aa35563fd=a231e2a982076780d0166c670f4a7d54

Hi slocke,

Please try setting Relative URL to 'No' on the form General tab. I think that will fix this particular problem.

Bob

PS If my memory is correct - and it may not be - this comes from a change in the Joomla! code from 1.6 to 2.5 where they removed URL sanitisation :-(

PPS It is that Joomla! change. If you need to keep the Relative URL then you could try my Show HTML [GH] action which includes the sanitisation code for the page URL.

Thank you for your help. We'll give that a try.