Adaptive Portlet Security....cross site scripting error

Ok, I'm using Adaptive Portlets to access portlet data that resides on a different machine than my portal server. Everytime I try and perform a PTHTTPGET, I get a javascript security error. At first I was able to get around this by storing my portlets on the same machine as the server, however, in production this will not work because our portal is installed among 5 different boxes.
Does anyone know how I can get around this?
Dana

The way to work around this is to make sure that any URLs you GET from are gatewayed. That way, as far as the browser is concerned, they're from the same host.
...stephan

Similar Messages

  • Cross site scripting errors in RoboHelp 8.0

    We are using Robohelp 8.02, generating webhelp for a web application. Development just started to use Fortify to identify security vulnerabilities. The Fortify software found 17 Robohelp htm files with cross-site scripting security holes. We are NOT using RoboHelp Server 8.
    Before creating this posting, I searched the forums and found one post from Feb 2010 (Beware -serious - cross site scripting errors in Robohelp 8.0).
    From reading that posting, it appears that an Adobe engineer was involved----I'm not clear on the final outcome for this issue.
    Any additional information on the final resolve for this issue would be helpful.
    Thanks,
    Beware - serious breach - cross site scripting errors in RoboHelp 8.0

    The previous poster indicated that Tulika, who I can confirm is an Adobe engineer, stated "when she reviewed the code that was triggering the Fortify cross site scripting errors, she came to the conclusion that it was not actually harmful." The poster also indicated their opinion was the other errors were minor.
    That seems clear enough so I wonder what value is anything that anyone here can add? The forum responses are from other users and I would have thought any further assurance beyond the above is something your management would want to come from Adobe.
    I have not seen anything on these forums indicating that any attack has been triggered.
    See www.grainge.org for RoboHelp and Authoring tips
    @petergrainge

  • DOM Based Cross-Site Scripting issue in RoboHelp 10

    We're using a WebHelp system originally deplyed using RoboHelp 9.0.2.271, and a recent security scan revealed the DOM based cross-site scripting issue.
    I recently upgraded to RoboHelp 10, migrated my help system to this version, and redeployed the system, but our security scan is still detecting the cross-scripting vulnerability in WebHelp. Wasn't this issue resolved in RoboHelp 10?
    Thanks

    Hi,
    I’m not a security expert, but this script reads the URL of the current topic and redirects to the current topic with a bookmark. This is needed for when the same topic is used in multiple locations in the TOC.
    I’ll ask around about this security issue.
    Greet,
    Willam

  • Cross-site scripting vulnerability RoboHelp 10 version

    Has the cross-site scripting vulnerability been addressed in the RoboHelp 10 version

    To the best of my knowledge it was addressed in Rh9. Rh10 has an HTML5 output option that does not use frames.
    However, if security is a concern, then only a security expert can give you the assurance you require.
    Personally I have yet to hear of webhelp being used maliciously but that does not mean it hasn't happened.
    See www.grainge.org for RoboHelp and Authoring tips
    @petergrainge

  • Due to the presence of characters known to be used in Cross Site Scripting

    I am getting following error when I try to send single quote as part of URL. I tried javascript escape to encode the URL. But still getting same error. Does anybody know workaround for the issue. Thanks
    Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
    403: Access Forbidden
    Your client is not allowed to access the requested object

    FYI. We are using IIS Webserver and Weblogic Appserver.
    When the page is accessed through Weblogic , cross site script does not occur. It happens when the page is rendered via IIS.

  • Cross-site Scripting Vulnerability OAS-10g/10.1.2.0.0 OHS

    Has anyone confronted the Cross-site scripting Vulnerability with 10g and OHS 10.1.2?
    We are about to put our first APEX box into production, but we need to fix this vulnerability first.
    I did some searching around but failed to come up with anything useful. It could be my searching sucked, too.
    Any thoughts / help / ideas would be greatly appreciated.
    Thanks.

    Hi,
    Do you get this error when you try to run forms configured using OAS 10g 10.2.0.2.
    We run a Web application using OAS 10g 10.2.0.2 and after leaving the application idle, more than half an hour, ora-12152 is displayed and the application is in a deadlock.
    Can you please suggest any solution for the same.
    Should the SQLNET.AUTHENTICATION_SERVICES= (NTS) be commented in sqlnet.ora file.
    Sridharrs

  • Webhelp vulnerable during XSS cross site scripting audit. Reason - document.location.href

    Online help created by team is going through a security vulnerability check now. It has been found that after integration of webhelp with the application,document.location.href  is a vulnerable point as per XSS cross site scripting. Please your thoughts and any methods you have that can contain this situation. Its urgent, please help.

    This thread is now locked. See the duplicate post.
    See www.grainge.org for RoboHelp and Authoring tips
    @petergrainge

  • MS IE toStaticHTML String Parsing Cross-Site Scripting Vulnerability alarms

    Hi,
    I was wondering if someone else has noted an increase in false positives concerning the following 2 events:
    - Microsoft Internet Explorer toStaticHTML String Parsing Cross-Site Scripting  Vulnerability
    - Microsoft Office Excel Ghost Record Parsing Arbitrary Code Execution Vulnerability
    Obvisouly I see these events because the signature has been introduced recently!!!
    But I wonder if these alarms I'm getting are genuine (and I have a big problem), or if the signature needs to be 'tuned' by Cisco to be a bit less sensitive?
    Anyone has experienced something similar or can shed a light?
    Thanks,
    seb.

    Hello Seb,
    Since I don't have the entire transmission, I can't tell what exactly is commented out in regard to the tags, but the data appears to look something like below.
    e){  
      //v3.0..   
      eval(targ+".location='"+selObj.options[selObj.selectedIndex].value+"'");
      if (restore) selObj.selectedIndex=0;
    //-->
    @td  
    img{display: block;}
    @import url("p7tp/p7tp_01.css
    With 30419 being related to CVE-2010-3324, I assume the signature is firing due to some match variation of the fact that @import and the tags are showing up in a response from your web server. The toStaticHTML method should remove tags, but the vulnerability is causing that mechanism to fail.
    The oBot User-Agent caught my eye. Google returns several pages to the effect of oBot being a:
    "German spider from Cobion, now part of Internet Security Systems. Scans the web for their clients looking for copyright infringement."
    I'm not sure what benefit this search bot would receive from injecting Javascript into the response.
    I'll forward the capture data to our sig team to confirm whether this should be a legitimate match.
    Thank you,
    Blayne Dreier
    Cisco TAC Escalation Team
    **Please check out our Podcasts**
    TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
    TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

  • Business Objects Infoview 'cms' Cross-Site Scripting Vulnerability

    I was recently notified that we are vulnerable to cross-site scripting. We are using Crystal Enterprise XI R2. I read that we need fix  pack 3.5, however i dont know where to find it within SAP. I thought that Service Pack 3 would help but it doesn't appear available to download. Has anyone else talked this vulnerability?
    Edited by: Wade Hinkle on Jul 18, 2008 6:53 PM
    Edited by: Wade Hinkle on Jul 18, 2008 6:53 PM

    Hi experts,
    i checked the permissions at the PCD and everything should be fine.
    But what i found out at the moment is that the Business Objects Application does try to change the Browser height and width...for some reasons i don't know.
    Well and the portal does not allow this action at the portal browser / content area.
    1) The error messages are window.setIframeHeigth :
    while (childFrame != parentWin && parentWin.setIframeHeight && parentWin.supportResizeFrameToContent) {
            var x = parentWin.document.body.scrollLeft;
            var y = parentWin.document.body.scrollTop;
            parentWin.setIframeHeight(childFrame.name);
            parentWin.scrollTo(x,y);
            childFrame = parentWin;
            parentWin = childFrame.parent;
    2) the other message is Window.document
    function findElementById(Id) {
         var mywin = window;
         while (mywin != mywin.parent && mywin.parent && mywin.parent.document) {
              mywin = mywin.parent;
    The only way it works now, is when i chosse the option "display at own window" the application is started and can be accessed.
    Well, but unfortunal this is not the integration layer i am looking for.. i would like to "integrated" the web application at the portal content area.
    Has anybody some other ideas?
    Thanks in advantage and beste regards
    Stefan

  • Which hotfix corrects cross-site scripting vulnerability?

    Our security-auditing scanning service is failing to certify
    our ColdFusion 7.02 servers, saying that there's a cross-site
    scripting vulnerability, even though we've installed the most
    recent hotfixes relating to cross-site scripting.
    The specific vulnerabilities we're being told exist are
    described here:
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0817
    and
    http://www.securityfocus.com/archive/1/459178/30/0/threaded
    Exactly what hotfixes or patches are needed to correct this?
    Or is this known to be a false positive in these tests?
    Thanks.

    I think is time for you to upgrade to ColdFusion 8, it has a
    new variable in the cfapplication tag that will activate cross
    scripting attack protection.
    Dario

  • Cross site script

    Hi,
    I talked about with my team.I heard about the cross site script or XSS in web based applications.We are using oracle EBS suite.Is it occured in EBS?
    If it's, how to prevent them?

    Hi,
    I do not think it can be found in Oracle Apps 11i/R12 -- Please log a SR to confirm this with Oracle support.
    You may also review these documents and see if it helps.
    Note: 403537.1 - Best Practices for Securing Oracle E-Business Suite Release 12
    Note: 189367.1 - Best Practices for Securing the E-Business Suite Release 11i
    Regards,
    Hussein

  • HTLM Tag Injection - Cross Site Scripting

    Hello,
    I have a basic app with JSP pages and Servelts running on Tomcat. I been told my application in vulnerable to tag injection that could be used to cross site scripting & phishing attacks. What is the best way to prevent these kind of attacks? Is there something in java or do I need to add code? Does Tomcat have anything built in to prevent this?
    Thank you!

    If you don't display content from users then you're unlikely to have issues. If you do (even usernames) then you have to clean the input. That's non-trivial and there's no way to automate it for all cases so there's nothing built in to do it.

  • Download to excel on grid generates url with Cross Site Scripting Attack

    When we try to download to exell on a grid (8.50.18). The webserver comes back with an automaticly generated url. This url now contains the characters "%0d%0a" (CR/LF
    Our firewall/ proyserver detects this string in the url as a Cross Site Scripting Attack (XSS) and fails to shows the excell.
    This happens in all our environments (so not dependend on the domain name).
    Does anyone know a solution for this problem?

    it seems a known bug, starting from 8.50.14 and solved with 8.50.19 (also in 8.51xx)
    Unfortunately we are on 8.50.18. Its now a bad timing to update our environment.
    It seems that psppr.dll is doing the job but replacing ours with the 8.50.19 one leaves our domains unstartable.
    I guess we have to ask our network techies to make a exception rule in our internal network/ firewall to allow it.......
    Detlev

  • Cross-site scripting vulnerability

    HI!
    Has any one done this yet? Embedding a flash video object in
    Dreamweaver or
    Contribute using the Insert Flash Video command might create
    a cross-site
    scripting vulnerability. A potential cross-site scripting
    vulnerability has
    been identified within the FLVPlayer_Progressive.swf file.
    The fix on Adobe
    web site is not clear, the article I read about it says
    Dreamweaver 8 and
    CS3 are affected but the adobe page only refers to CS3. I was
    wondering if
    the files for the download they provide will work in 8.02 as
    well? This is
    the link to the Adobe webpage.
    http://kb.adobe.com/selfservice/viewContent.do?externalId=kb402925&sliceId=1
    Thanks.
    Dave

    I use CS3 and have done the update. The advice in the article
    on the page you're referring to is totally messed up.
    Do the renamed ... .old files need to be deleted from the
    \Program Files\Adobe\Adobe Dreamweaver
    CS3\configuration\Templates\Video_Player and the \Program
    Files\Adobe\Adobe Contribute
    CS3\Configuration\Templates\Video_Player folders or not? The
    article says nothing about this.
    The described update process for existing sites is absolutely
    unclear. Open the page in Dw, Preview In Browser, and Save? What
    change would that make? More importantly, is it enough to update
    the FLVPlayer_Progressive.swf and/or the FLVPlayer_Streaming.swf on
    existing sites or not?
    The updated files have a creation date of January 9, 2008
    while the article suggests that these files should have a creation
    date of January 15, 2008.
    The link is broken in the "Additional Information" section.
    That page seriously needs some supervision imho.

  • LiveCycle ES2, Guides, SSL and IE 8/9 Cross Site Scripting Issue

    I have a guide that is being served up in the workspace.
    This guide works fine in all of the different browser versions provided they go through port 8080.
    If however you enable SSL on your server (port 8443) and serve up the guide in the workspace, the end user can fill the entire form out only to have the browser identify the submit process as a Cross Site Scripting issue.
    This is the result:
    The data is essentially lost and guide disappears.  I had a theory that maybe the submit process might be using the default server port for data submissions (8080) and created a customized submit process with the hardcoded targetURL.
    I tried to test my theory and got the same result.  I then modified my custom submit process to essentially do nothing (Started and ended the process with an abstract activity), and got the same result.
    The only other thing that I could think of, is that the automatically generated action script classes might be hard coded to use default port instead of the SSL port.
    Suggestions?!

    Hi
    You can rise SR for your issue for 5000+ user or you can also can connect wiht your system engineer team for can possible solution as setup IE and deploy it to 5000+ user pcs
    For your other question see below note:
    Recommended Browsers for Oracle E-Business Suite 11i [ID 285218.1]
    Regard
    Helios

Maybe you are looking for

  • Core Audio Initialization freezes...please help

    I just upgraded from Tiger to Leopard and installed a fresh copy of logic 7.2 in my hard drive. Now when I try launching it...right when that first splash screen shows up it gets to Coreaudio Initializing...and it gets stuck and it becomes unresponsi

  • Black screen when MSI driver is installed (MSI R9 270X 2GB )

    Bought new computer and everything worked fine until couple of days ago .. can pull some info ..     Windows 7 Ultimate x64     AMD 8350FX 8-core     ASUS Sabertooth 990FX R2     MSI R9 270X 2GB GDDR5     8GB 1866MHz RAM     120gb SSD Kingston HyperX

  • The internet on my Mac OSX v10.6.8 is running extremely slow. I have a macbook air 13-inch late 2010. Please help!

    The Internet (firefox, safari) are loading VERY slow. At first I thought it was just my school's website acting up, but after talking to their technical support they had me delete cache and cookies, make sure all programs are updated including plug i

  • AS CS3 - remove not used color in documents in a book

    Hello, I have a big problem ... I have an InDesign book composed of approx. 120 documents Indesign. My question: Did you know a script able to delete unused nuances in every document composing a book rather than to make it document by document (120 d

  • All contacts appear to be offline, when not.

    Hi, I´m running iChat on a MacBook Pro with latert version of Lion. When set up the account I used my @me account, the set up a second account @gmail. For some reason when I try to contact a friend from my address book, says that they are offline, wh