IE Cross-Site error

Similar Messages

• Cross site scripting errors in RoboHelp 8.0

  We are using Robohelp 8.02, generating webhelp for a web application. Development just started to use Fortify to identify security vulnerabilities. The Fortify software found 17 Robohelp htm files with cross-site scripting security holes. We are NOT using RoboHelp Server 8.
  Before creating this posting, I searched the forums and found one post from Feb 2010 (Beware -serious - cross site scripting errors in Robohelp 8.0).
  From reading that posting, it appears that an Adobe engineer was involved----I'm not clear on the final outcome for this issue.
  Any additional information on the final resolve for this issue would be helpful.
  Thanks,
  Beware - serious breach - cross site scripting errors in RoboHelp 8.0

  The previous poster indicated that Tulika, who I can confirm is an Adobe engineer, stated "when she reviewed the code that was triggering the Fortify cross site scripting errors, she came to the conclusion that it was not actually harmful." The poster also indicated their opinion was the other errors were minor.
  That seems clear enough so I wonder what value is anything that anyone here can add? The forum responses are from other users and I would have thought any further assurance beyond the above is something your management would want to come from Adobe.
  I have not seen anything on these forums indicating that any attack has been triggered.
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• ERROR [AntiCsrfServletFilter] Potential CSRF(Cross-site Requ

  Hi,
  In User application, when I integrate my custom code to upload a file
  (.xls) using struts, we get following error:
  ERROR [AntiCsrfServletFilter] Potential CSRF(Cross-site Request
  Forgery) detected against
  /IDMProv/complianceRemediationAction.do/requestType=uploadAppData.
  Session has been logged out.
  How can we bypass AntiCsrfServletFilter filter to upload the file using
  my custom code.
  Please share if anybody has some idea. It's urgent!!!
  Thanks
  Vartika Sanat
  Technical Consultant
  9958022664
  vartika's Profile: http://forums.novell.com/member.php?userid=3010
  View this thread: http://forums.novell.com/showthread.php?t=401004

  vartika wrote:
  >
  > Hi,
  >
  > In User application, when I integrate my custom code to upload a file
  > (.xls) using struts, we get following error:
  >
  > ERROR [AntiCsrfServletFilter] Potential CSRF(Cross-site Request
  > Forgery) detected against
  > /IDMProv/complianceRemediationAction.do/requestType=uploadAppData.
  > Session has been logged out.
  >
  > How can we bypass AntiCsrfServletFilter filter to upload the file
  > using my custom code.
  >
  > Please share if anybody has some idea. It's urgent!!!
  If its urgent I suggest you open a SR and also this has nothing to do
  with access manager. Try posting it in the userapp forum.
  Cheers,
  Edward

• Due to the presence of characters known to be used in Cross Site Scripting

  I am getting following error when I try to send single quote as part of URL. I tried javascript escape to encode the URL. But still getting same error. Does anybody know workaround for the issue. Thanks
  Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
  403: Access Forbidden
  Your client is not allowed to access the requested object

  FYI. We are using IIS Webserver and Weblogic Appserver.
  When the page is accessed through Weblogic , cross site script does not occur. It happens when the page is rendered via IIS.

• Cross-site Scripting Vulnerability OAS-10g/10.1.2.0.0 OHS

  Has anyone confronted the Cross-site scripting Vulnerability with 10g and OHS 10.1.2?
  We are about to put our first APEX box into production, but we need to fix this vulnerability first.
  I did some searching around but failed to come up with anything useful. It could be my searching sucked, too.
  Any thoughts / help / ideas would be greatly appreciated.
  Thanks.

  Hi,
  Do you get this error when you try to run forms configured using OAS 10g 10.2.0.2.
  We run a Web application using OAS 10g 10.2.0.2 and after leaving the application idle, more than half an hour, ora-12152 is displayed and the application is in a deadlock.
  Can you please suggest any solution for the same.
  Should the SQLNET.AUTHENTICATION_SERVICES= (NTS) be commented in sqlnet.ora file.
  Sridharrs

• Safari cross domain error

  I tired to access a web site via Safari that I previously was able to access; however, now I get the following message: "Cross Domain Error: Cross domain is not supported by this browser." Is there a plug-in or something else that would allow me access the site?

  Hi,
  Please try to configure the cross domain policy file to allow public read access (that is, access it without federation requirement), make sure you can access the address
  http://something/clientaccesspiolicy.xml directly in a browser
  without redirecting to check whether the cross domain policy file could be anonymous accessed (Please start a new browser session and make sure you're
  not logged in. Then test the cross domain policy file.).
  Best Regards,
  Ming Xu
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Business Objects Infoview 'cms' Cross-Site Scripting Vulnerability

  I was recently notified that we are vulnerable to cross-site scripting. We are using Crystal Enterprise XI R2. I read that we need fix  pack 3.5, however i dont know where to find it within SAP. I thought that Service Pack 3 would help but it doesn't appear available to download. Has anyone else talked this vulnerability?
  Edited by: Wade Hinkle on Jul 18, 2008 6:53 PM
  Edited by: Wade Hinkle on Jul 18, 2008 6:53 PM

  Hi experts,
  i checked the permissions at the PCD and everything should be fine.
  But what i found out at the moment is that the Business Objects Application does try to change the Browser height and width...for some reasons i don't know.
  Well and the portal does not allow this action at the portal browser / content area.
  1) The error messages are window.setIframeHeigth :
  while (childFrame != parentWin && parentWin.setIframeHeight && parentWin.supportResizeFrameToContent) {
          var x = parentWin.document.body.scrollLeft;
          var y = parentWin.document.body.scrollTop;
          parentWin.setIframeHeight(childFrame.name);
          parentWin.scrollTo(x,y);
          childFrame = parentWin;
          parentWin = childFrame.parent;
  2) the other message is Window.document
  function findElementById(Id) {
       var mywin = window;
       while (mywin != mywin.parent && mywin.parent && mywin.parent.document) {
            mywin = mywin.parent;
  The only way it works now, is when i chosse the option "display at own window" the application is started and can be accessed.
  Well, but unfortunal this is not the integration layer i am looking for.. i would like to "integrated" the web application at the portal content area.
  Has anybody some other ideas?
  Thanks in advantage and beste regards
  Stefan

• A Cross-site request forgery (CSRF) has been detected. Task=com.bea.consol

  On the BEA admin console and tryiing to install an ear from a remote location that is fairly large, we're seeing the following error:
  <A Cross-site request forgery (CSRF) has been detected. Task=com.bea.console.actions.app.install.Flow.uploadApp address=*.**.***.*** user=weblogic>
  The address contains an actual IP address.
  If we copy the same ear over to the server box and install, it works fine. If we remove some jars from the ear to decrease its size, it works fine.
  We are running a Weblogic 10.3.5 server. The ear that fails is 276MB. We can successfully install a 246MB ear. So the problem must arise somewhere between 250MB and 275MB.
  Has anyone seen this? Is this a known limitation for installing remote ear's?
  Any information is appreciated.

  A phase listener comes to mind. Check out this useful article:
  http://balusc.blogspot.com/2006/09/debug-jsf-lifecycle.html

• SP2013 Unable to get Cross Site Publishing working

  Hi folks,
  I am wondering if anyone has a set of instructions for implementing Cross Site publishing in SharePoint 2013
  that actually work and are up-to-date.
  I'm trying to implement CSP using a simple document library in a product catalog site collection to a publishing site.  Created a term set, enabled the library under catalog settings for anonymous, uploaded content, full crawled the library, connected
  to the catalog from the publishing site, updated the navigation properties on the publishing site - When I test clicking on the navigation link gives a 'The page you are looking for doesn't exist' so it appears not to be creating the appropriate page.
  I've examined a dozen different sets of instructions that are either incomplete or just wouldn't work to see if I am missing a step but cannot identify why I don't see the page with a list of document.
  One [potential] issue that I have noticed is that the term I am using has a 'memberof' field.  However some times the permissions get correctly updated and sometimes they do not - there appears no way to update or remove values here.
  Regards
  Andy
  Update:  I've managed to get a little further (by chance) - after waiting a little longer, I now get the catalogue page displayed, however, there is a warning 'Checked out to you'.  I cannot find any documentation around why this
  occurs and how to prevent it.
  Also, if I click the link of the document, it does not open the document but instead displays the fields from the document properties (name, version, date etc.).

  At the moment the best I can get to happen is a list of documents (with large grey boxes above the names) to appear when the navigation link (the term) is selected on the publishing site. Clicking on the links results in a 'page not found' error.
  The URL that is generated when I hover the mouse over the document name on the publishing site  is in the format of  http:server/sites/sitename/term-name/documentname/term-name/15/1.0   I am not sure how that would resolve aback to any
  document.
  The first reference to term-name appears to be the value in the term-driven-pages tab, Friendly URL for term field out of the term store on the publishing site.
  The second reference to term-name appears to be the value in the Navigation tab for the same term.
  Edit:  I am finally able to open a document successfully.   I had to make a couple of changes, the first was to remove the catalog connection and re-create it.  The Catalog Item URL Behaviour needed to be set to 'Make URLS point to source
  catalog',  the second was as above - to edit the content search webpart on the  category-xyz page so that it was set to OriginalPath  (and remember to check in and publish the page).
  Whenever the catalog connection is modified one needs to re-crawl the server - I found that continuous crawl often didn't seem to pick up changes, so for testing I used a full manual crawl.
  Also, when re-creating the catalog connection an error about duplicate terms can be ignored (it still creates the catalog connection), but you have to run a full search crawl afterwards.
  Now that I know it works, I need to re-do everything from scratch to ensure that it can be replicated. If I get time, I will post up some instructions with all of the issues I encountered listed.

• Unable to open Power BI Sites - Error: We were unable to load the Site. Refresh the page to try again

  Power BI Sites Error
  We were unable to load the Site. Refresh the page to try again
  When opening Power BI Sites with internet explorer, in certain security configurations you may run into the above error. While we are looking into resolving this, please see the following workaround:
  From the Tools menu, select internet options.
  On the security tab uncheck the "Enable Protected Mode" checkbox form the relevant Zone (Intranet/Internet)
  Remove all entries to *.powerbi.com from trusted sites or/and local intranet sites
  On the advanced tab, uncheck the "Enable enhanced protected mode" (if you made a change here it will require a restart of the machine)
  Restart and try again (if not changes done in the last step, just restart the browser)

  Hi
  Any further debugging tips? I upgraded from IE9 to IE11 on my Win7 machine to try get Q&A working, it broke the entire PowerBI site for me

• Unknown site error while deploying web services using OC4J

  Hi,
  I have been testing the deploying webservices examples using demo.zip on OTN site.
  I have trouble in binding the web application name to stand alone OC4J.
  I am running stand alone OC4J server fine. I verified the website http://localhost:8888, which is running fine.
  If I issue the command
  java -jar admin.jar ormi://localhost:23791 admin password1 -bindwebapp demo_ejb_web_service HelloService_web http://localhost:8888/ sejb_webservices
  I get error
  oracle.oc4j.admin.internal.DeployerException: Unknown site: http://localhost:8888/
  What is the http-web-site address that needs to be given for binding web app, if I am running local standalone OC4J with no default port changes?
  Thanks,
  Mohan

  Eric,
  Thanks for the response. But, still I am not able to bind web-application to OC4J.
  Here is how my server.xml has defined the web-site tag:
  <web-site default="true" path="./http-web-site.xml" />
  My http-web-site.xml has following web-site tag:
  <web-site port="8888" display-name="OC4J 10g (10.0.2) HTTP Web Site">
  <default-web-app application="default" name="defaultWebApp"/>
  <web-app application="default" name="dms0" root="/dms0" access-log="false" />
  <web-app application="default" name="dms0" root="/dmsoc4j" access-log="false" />
  <web-app application="default" name="admin_web" root="/adminoc4j"/>
  <access-log path="../log/http-web-access.log"/>
  </web-site>
  I used the following command to bind the example web service:
  java -jar c:\XtendTools\oc4j\j2ee\home\admin.jar ormi://localhost admin password1 -bindWebApp demo_ejb_service HelloService_web default-web-site /sejb_services
  I get "oracle.oc4j.admin.internal.DeployerException: Unknown site: default-web-site" error.
  I tried to use following names as http-web-site, but nothing works.
  "http://localhost:8888"
  "dms0"
  "adminoc4j"
  I downloaded stand alone OC4J 10.1.2 from OTN and tried these samples.
  Your help will be appreciated.
  Thanks,
  Mohan

• Cross Domain error for Silverlight + MVC application with self hosted WCF service on azure

  Hi,
  We are migrating existing Silverlight application to MVC; existing Silverlight application is hosted on
  Azure which is consuming self-hosted WCF service. For authentication we have implemented
  ADFS with WIF (passive). The cloud service (<myWebSite>.cloudapp.net) is C Name to (<myWebSite>.<myDomain>.com) and we 
  are consuming  WCF service at <myWebSite>.cloudapp.net/<myService>.svc, as we were getting “Cross Domain” error so we have added “clientaccesspolicy.xml” at the root of “WEB ROLE”.
  Existing Silverlight application works fine but the problem occurred when we deploy our migrated application to the same cloud service. We are getting a “Cross Domain” error.
  The same migrated application works fine on UAT environment, the only difference is UAT environment is
  without ADFS WIF implementation.
  Migrated application is half Silverlight and half MVC with initial landing page is Silverlight. MVC web role is used to host the service i.e. .SVC . To go to SL landing page , redirected from home controller. Following is being observed in fiddler for this
  application
  Existing Silverlight application -
  After authentication with ADFS it redirect to Silverlight landing page.
  Before calling service method it looks for “clientaccesspolicy.xml”
  In response header we are getting the content of “clientaccesspolicy.xml”
  And after this everything works fine
  Migrated Silverlight-MVC application –
  After authentication with ADFS it redirects to “HomeController” and from there we are redirecting to Silverlight landing page.
  Before calling service method it looks for “clientaccesspolicy.xml”
  In response header we are getting  following content - “https://federation-sts.<myDomain>.com/adfs/ls/?wa=wsignin1.0&amp;
  wtrealm=https%3a%2f%2f<myWebSite>.<myDomain>.com&amp;
  wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclientaccesspolicy.xml&amp;wct=2014-03-17T10%3a36%3a04Z”
  4.Throw “Cross Domain” error.
  Also we have added filter in
  RouteConfig
  for .xml file
  routes.IgnoreRoute("{*allxml}",
  new { allxml = @".*\.xml(/.*)?" });
  NOTE: There is no configuration change apart from MVC configuration.
  We have done RDP to web role and found that “clientaccesspiolicy.xml” is present at “E:\approot” location and it is also accessible at “https://<myWebSite>.<myDomain>.com/clientaccesspolicy.xml”.
  Please help
  Thanks,
  Rahul P

  Hi,
  Please try to configure the cross domain policy file to allow public read access (that is, access it without federation requirement), make sure you can access the address
  http://something/clientaccesspiolicy.xml directly in a browser
  without redirecting to check whether the cross domain policy file could be anonymous accessed (Please start a new browser session and make sure you're
  not logged in. Then test the cross domain policy file.).
  Best Regards,
  Ming Xu
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• The name of the security certificate is invalid or does not match the name of the site error?

  I am looking for some help folks. We are in a Outlook 2007/Exchange2010/Windows2008R2 environment.
  When users open Outlook off the network, and occasionally on the network, they get the error
  The name of the security certificate is invalid or does not match the name of the site error
  The CAS hostname is HRECAS.XXX.ORG. The URL that is listed on the SSL certificate (issued by VeriSign) is WEB.XXX.ORG. WEB.XXX.ORG is what users use to get to OWA and such.
  When I use testexchangeconnectivity.com, under certificate name validation I see an error that reads:
  Host name autodiscover.xxx.org doesn't match any name found on the server certificate CN=web.xxx.org.
  Does this mean somehow we have to add autodiscover.xxx.org on the certificate?
  I tried to add AutoDiscoverExternalUri using
  http://support.microsoft.com/?kbid=940726 &
  http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/2d0c0f5f-e4ec-4f33-a37d-b94fd7a2319f on the CAS server.
  Set-ClientAccessServer -identity HRECAS -AutodiscoverServiceExternalUri
   https://autodiscover.xxx.org/Autodiscover/Autodiscover.xml 
  I get an error that says
  "a positional parameter cannot be found that accepts argument '-AutoDiscoverExternalUri'.
  Can someone point to me what I am doing wrong with the command and whether I should be concerning myself with adding that line? By the way the
  InternalUrl information is already configured on the system. Also should I edit the certificate to add autodiscover.xxx.org?
  Thank in advance for your support.
  TD
  TD

  Hi Tapera,
  Thanks for the question.
  SRV record is a good idea. You can set the SRV to
  https://web.abc.com/autodiscover/autodiscover.xml but you must make sure the
  url can be resolved from External clients.
  In addition, there is still a issue. It is hard coded that Outlook will find the autodiscover by the orders below:
  1. Access autodiscover via SCP in AD.
  https://web.abc.com/autodiscover/autodiscover.xml
  2. If SCP access fails, it will try:
  https://abc.com/autodiscover/autodiscover.xml
  3. Then
  https://autodiscover.abc.com/autodiscover/autodiscover.xml
  4. Local XML file
  5. SRV record
  As you can see, Outlook will try SRV record at last. Therefore, it will still try to access
  https://autodiscover.abc.com/autodiscover/autodiscover.xml each time you run Outlook. Then the certificate warning will still persists.
  I have a workaround solution. You can do a local policy to disable the autodiscover to access the
  https://autodiscover.abc.ocom/autodiscover/autodiscover.xml by:
  1.   
  On the Outlook client machine, open regedit and add the following key:
  HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Autodiscover
           "ExcludeHttpsAutodiscoverDomain"
           "ExcludeHttpsRootDomain"
  2.   
  Then set the value to “1” on the above two keys.
  Thanks,
  Simon  

• Publish Page Content-Cross Site Publishing in SharePoint Online

  Is it possible to get Authoring Site's Specific Page's Content/html content (Live in Page Library of Authoring Site and saved as a Catalog) by a Content Search web part added to the Publishing site's page? 
  (Please note that these sites created in SharePoint 2013 Online, Authoring Site activated Cross site Publishing feature and created using team site template, Publishing site created using Publishing Portal template)

  Hi Gihan,
  Glad to hear your issue solved and thanks for your sharing! It is helpful for others who will meet the same issue.
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• DOM Based Cross-Site Scripting issue in RoboHelp 10

  We're using a WebHelp system originally deplyed using RoboHelp 9.0.2.271, and a recent security scan revealed the DOM based cross-site scripting issue.
  I recently upgraded to RoboHelp 10, migrated my help system to this version, and redeployed the system, but our security scan is still detecting the cross-scripting vulnerability in WebHelp. Wasn't this issue resolved in RoboHelp 10?
  Thanks

  Hi,
  I’m not a security expert, but this script reads the URL of the current topic and redirects to the current topic with a bookmark. This is needed for when the same topic is used in multiple locations in the TOC.
  I’ll ask around about this security issue.
  Greet,
  Willam