The PCI Scan fails for the xxx.php

Title
CGI Generic XML Injection
Synopsis
A CGI application hosted on the remote web server is potentially prone to an XML injection attack.
Impact
By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, SecurityMetrics was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access a SOAP back-end. An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system. Exploitation of XML injections is usually far from trivial. See also : http://www.nessus.org/u?5691cc8c
Resolution
Modify the affected CGI scripts so that they properly escape arguments, especially XML tags and special characters (angle brackets and slashes).
Data Received
Using the GET HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to XML injection : + The 'xxx' parameter of the /xx.php CGI

John

Hi John
I've tried all the usual injection attacks using that parameter but all seems to be fine. If you like, please send any details you have (they will often include a URL to recreate the issue for instance) to my email and I'll try on your site. But it may just be a false positive.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Hi Vince,

Email sent with all the details.

Many thanks,

John

It seems to be a false positive and I've sent details by email.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater