We’ve seen a few customers failing PCI scans due to Cross Site Scripting (XSS) vulnerabilities on the catalogsearch page. Initially it seemed like it was a bug in Magento where it wasn’t sanitizing its input but when we tried to see if a new install, using the default theme, was vulnerable we found it wasn’t. This led us to start tracking down the code that actually printed out the XSS.
In the cases we’ve dealt with, the XSS vulnerability is usually reported on the ‘catalogsearch’ page. On the search page it will show info about what your search query was which is where the XSS vulnerability lies. The code that controls this is in breadcrumbs.phtml.
We compared the default breadcrumbs.phtml with the one that has the XSS vulnerability and found the problem was the vulnerable one wasn’t escaping its output. Here’s an example:
Good:
htmlEscape($_crumbInfo['label']) ?>
Bad:
You can test your site for this by searching your magento store for the following.
If the Google logo is displayed you’re vulnerable to XSS. To fix this, find the breadcrumbs.phtml for your theme and find where it calls these:
echo $_crumbInfo['title']
echo $_crumbInfo['label']
And replace it with these:
echo $this->htmlEscape($_crumbInfo['title'])
echo $this->htmlEscape($_crumbInfo['label'])
The default Magento theme already does this but if you’re using a custom theme or a theme based off of the older default theme, it might not be escaping the output.
