JsessionID Cross Site Sccripting Bug

Similar Messages

• Download to excel on grid generates url with Cross Site Scripting Attack

  When we try to download to exell on a grid (8.50.18). The webserver comes back with an automaticly generated url. This url now contains the characters "%0d%0a" (CR/LF
  Our firewall/ proyserver detects this string in the url as a Cross Site Scripting Attack (XSS) and fails to shows the excell.
  This happens in all our environments (so not dependend on the domain name).
  Does anyone know a solution for this problem?

  it seems a known bug, starting from 8.50.14 and solved with 8.50.19 (also in 8.51xx)
  Unfortunately we are on 8.50.18. Its now a bad timing to update our environment.
  It seems that psppr.dll is doing the job but replacing ours with the 8.50.19 one leaves our domains unstartable.
  I guess we have to ask our network techies to make a exception rule in our internal network/ firewall to allow it.......
  Detlev

• Publish Page Content-Cross Site Publishing in SharePoint Online

  Is it possible to get Authoring Site's Specific Page's Content/html content (Live in Page Library of Authoring Site and saved as a Catalog) by a Content Search web part added to the Publishing site's page? 
  (Please note that these sites created in SharePoint 2013 Online, Authoring Site activated Cross site Publishing feature and created using team site template, Publishing site created using Publishing Portal template)

  Hi Gihan,
  Glad to hear your issue solved and thanks for your sharing! It is helpful for others who will meet the same issue.
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• DOM Based Cross-Site Scripting issue in RoboHelp 10

  We're using a WebHelp system originally deplyed using RoboHelp 9.0.2.271, and a recent security scan revealed the DOM based cross-site scripting issue.
  I recently upgraded to RoboHelp 10, migrated my help system to this version, and redeployed the system, but our security scan is still detecting the cross-scripting vulnerability in WebHelp. Wasn't this issue resolved in RoboHelp 10?
  Thanks

  Hi,
  I’m not a security expert, but this script reads the URL of the current topic and redirects to the current topic with a bookmark. This is needed for when the same topic is used in multiple locations in the TOC.
  I’ll ask around about this security issue.
  Greet,
  Willam

• Cross-site scripting vulnerability RoboHelp 10 version

  Has the cross-site scripting vulnerability been addressed in the RoboHelp 10 version

  To the best of my knowledge it was addressed in Rh9. Rh10 has an HTML5 output option that does not use frames.
  However, if security is a concern, then only a security expert can give you the assurance you require.
  Personally I have yet to hear of webhelp being used maliciously but that does not mean it hasn't happened.
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• Due to the presence of characters known to be used in Cross Site Scripting

  I am getting following error when I try to send single quote as part of URL. I tried javascript escape to encode the URL. But still getting same error. Does anybody know workaround for the issue. Thanks
  Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
  403: Access Forbidden
  Your client is not allowed to access the requested object

  FYI. We are using IIS Webserver and Weblogic Appserver.
  When the page is accessed through Weblogic , cross site script does not occur. It happens when the page is rendered via IIS.

• JSF 1.2 and CSRF (Cross Site Request Forgery) protection

  Hi All
  My webapp uses (among other technologies like JSP, Ajax, Dojo etc) JSF v1.2 on Webshere 7.0.
  I've been fixing security issues in the code recently - in particular Cross Site Request Forgery (CSRF) vulnerabilities. The suggested approach to combat CSRF is to embed a hidden unique token in your form (and also store this same token in the session). In the controller logic (i.e that handles the form's POST) we then check that the session and request token match. I've used this in my JSP's to combat CSRF successfullu. Basically I have a filter which executes before the form loads. This filter creates the unique token and stores in request and session and so on ..
  Now for JSF 1.2 ...
  I'm wondering how I do this in JSF v1.2 ? Would any one have an code samples or resource they could point me towards ? Is there a filter mechanism we can employ or some callback on the post ?
  One idea I had is that to populate to form with the hidden token I would do (in the form):
  <h:inputHidden id="jsfSecurityToken" value="#{myBean.securityToken}"/>
  In "myBean.java" I have a getSecurityToken method which
  a) creates the token
  b) stores it into the request
  c) stores it into the session
  BUT I don't know how/where on the post I can CHECK if these values match
  Page 40/41 of http://turbomanage.files.wordpress.com/2009/10/securing-jsf-applications-against-owasp-top-ten-color.pdf mentions "isPostBack" but I'm not sure how to use this.
  Any help would be great
  Thanks - Ronan

  A phase listener comes to mind. Check out this useful article:
  http://balusc.blogspot.com/2006/09/debug-jsf-lifecycle.html

• Cross-site Scripting Vulnerability OAS-10g/10.1.2.0.0 OHS

  Has anyone confronted the Cross-site scripting Vulnerability with 10g and OHS 10.1.2?
  We are about to put our first APEX box into production, but we need to fix this vulnerability first.
  I did some searching around but failed to come up with anything useful. It could be my searching sucked, too.
  Any thoughts / help / ideas would be greatly appreciated.
  Thanks.

  Hi,
  Do you get this error when you try to run forms configured using OAS 10g 10.2.0.2.
  We run a Web application using OAS 10g 10.2.0.2 and after leaving the application idle, more than half an hour, ora-12152 is displayed and the application is in a deadlock.
  Can you please suggest any solution for the same.
  Should the SQLNET.AUTHENTICATION_SERVICES= (NTS) be commented in sqlnet.ora file.
  Sridharrs

• How to configure CSWP on Category page to show the Published Catalog-item page on Publishing site in a Cross Site Publishing scenario?

  I have created a Cross Site Publishing Environment in SharePoint Online. After connected
  to my catalog. 2 pages automatically created. But in "Category" page, if i click on an item it will bring me to the original path/item located in Authoring site. How to configure Content Search Web Part on Category page to show the Published Catalog-item
  page on Publishing site?
  Can we do this by changing the property mappings?

  Hi,
  According to my understanding, you want users to be redirected to pages in the current site instead of the source page of the search results in a Content Search Web
  Part.
  By default, the hyperlinks of the search results in a Content Search Web Part will point to the source page where the data comes from, when the hyperlink of each result
  is clicked, user will be redirected to the corresponding source page.
  If the data comes from other sites, what page do you want to display when user clicks a search result in the Content Search Web Part?
  Property Mappings can help to control the content of each part of a display template, however, there seems no such property in the search result can help to redirect
  to the pages of the current site, thus, it might not be able to meet your requirement.
  More information about customizing the Content Search Web Part:
  https://www.martinhatch.com/2013/02/customising-cbswp-part1.html
  Best regards,
  Patrick
  Patrick Liang
  TechNet Community Support

• What are default Zend Session handling best practices to prevent Cross Site Request Forgery?

  I have enjoyed the David Powers book Adobe Dreamweaver CS5 with PHP:  Training from the Source - and have put many of the examples into practice.  I have a security related concern that may be tied to the Zend::Auth example in the book.  While this is installed an working on my site:
  <?php
  $failed = FALSE;
  if ($_POST) {
    if (empty($_POST['username']) || empty($_POST['password'])) {
      $failed = TRUE;
    } else {
      require_once('library.php');
      // check the user's credentials
      try {
        $auth = Zend_Auth::getInstance();
        $adapter = new Zend_Auth_Adapter_DbTable($dbRead, 'user', 'login', 'user_pass', 'sha1(?)');
        $adapter->setIdentity($_POST['username']);
        $adapter->setCredential($_POST['password']);
        $result = $auth->authenticate($adapter);
        if ($result->isValid()) {
          $storage = $auth->getStorage();
          $storage->write($adapter->getResultRowObject(array(
            'ID', 'login',  'user_first', 'user_last', 'user_role')));
          header('Location: /member/index.php');
          exit;
        } else {
          $failed = TRUE;
      } catch (Exception $e) {
        echo $e->getMessage();
  if (isset($_GET['logout'])) {
    require_once('library.php');
    try {
      $auth = Zend_Auth::getInstance();
      $auth->clearIdentity();
    } catch (Exception $e) {
      echo $e->getMessage();
  Apparently, there is  very limited protection against Cross Site Request Forgery, where the resulting SessionID could be easily hijacked?  I am using the Zend Community edition (I have 1.11.11).     I have an observation from a client that this authentication is not up to snuff. 
  To boil it down: 
  1.  Is there a Zend configuration file that might have some settings to upgrade the Session and or authentication security basics? I'm wondering specifically about the settings in /library/Zend/session.php? Ie secure the session against a changing user IP, and invoking some other session handling stuff (time-out etc). 
  2.  If I understand it correctly, "salting" won't help with this, unless it's added/checked via a hidden POST at login time? 
  Ideally, the man himself, David Powers would jump in here - but I'll take any help I can get!
  Thanks!

  Might ask them over here.
  http://forums.asp.net/1146.aspx/1?MVC
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Cross Site Publishing in SharePoint Online

  I was asked to test Cross Site Publishing features in SharePoint 2013 Online. I saved the Authoring site collection's (Used Team Site's Template since Product Catalog Template not avialable in SP Online) Pages library as a Catalog. When I connected that
  catalog in my Publishing site collection, 2 pages created automatically. Category Page is showing the content, but CatelogItem page is empty. How can I configure Content Search Web Part to show the Page Content of the Authoring Sites's page?
  Can we show Authoring sites Pages libraries page content on the publishing site?
  Is this possible in SharePoint Online Cross Site Publishing?

  Hi,
  Thanks for sharing!
  Best Regards
  Dennis Guo
  TechNet Community Support

• Cross site scripting errors in RoboHelp 8.0

  We are using Robohelp 8.02, generating webhelp for a web application. Development just started to use Fortify to identify security vulnerabilities. The Fortify software found 17 Robohelp htm files with cross-site scripting security holes. We are NOT using RoboHelp Server 8.
  Before creating this posting, I searched the forums and found one post from Feb 2010 (Beware -serious - cross site scripting errors in Robohelp 8.0).
  From reading that posting, it appears that an Adobe engineer was involved----I'm not clear on the final outcome for this issue.
  Any additional information on the final resolve for this issue would be helpful.
  Thanks,
  Beware - serious breach - cross site scripting errors in RoboHelp 8.0

  The previous poster indicated that Tulika, who I can confirm is an Adobe engineer, stated "when she reviewed the code that was triggering the Fortify cross site scripting errors, she came to the conclusion that it was not actually harmful." The poster also indicated their opinion was the other errors were minor.
  That seems clear enough so I wonder what value is anything that anyone here can add? The forum responses are from other users and I would have thought any further assurance beyond the above is something your management would want to come from Adobe.
  I have not seen anything on these forums indicating that any attack has been triggered.
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• HTLM Tag Injection - Cross Site Scripting

  Hello,
  I have a basic app with JSP pages and Servelts running on Tomcat. I been told my application in vulnerable to tag injection that could be used to cross site scripting & phishing attacks. What is the best way to prevent these kind of attacks? Is there something in java or do I need to add code? Does Tomcat have anything built in to prevent this?
  Thank you!

  If you don't display content from users then you're unlikely to have issues. If you do (even usernames) then you have to clean the input. That's non-trivial and there's no way to automate it for all cases so there's nothing built in to do it.

• Webhelp vulnerable during XSS cross site scripting audit. Reason - document.location.href

  Online help created by team is going through a security vulnerability check now. It has been found that after integration of webhelp with the application,document.location.href  is a vulnerable point as per XSS cross site scripting. Please your thoughts and any methods you have that can contain this situation. Its urgent, please help.

  This thread is now locked. See the duplicate post.
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• MS IE toStaticHTML String Parsing Cross-Site Scripting Vulnerability alarms

  Hi,
  I was wondering if someone else has noted an increase in false positives concerning the following 2 events:
  - Microsoft Internet Explorer toStaticHTML String Parsing Cross-Site Scripting  Vulnerability
  - Microsoft Office Excel Ghost Record Parsing Arbitrary Code Execution Vulnerability
  Obvisouly I see these events because the signature has been introduced recently!!!
  But I wonder if these alarms I'm getting are genuine (and I have a big problem), or if the signature needs to be 'tuned' by Cisco to be a bit less sensitive?
  Anyone has experienced something similar or can shed a light?
  Thanks,
  seb.

  Hello Seb,
  Since I don't have the entire transmission, I can't tell what exactly is commented out in regard to the tags, but the data appears to look something like below.
  e){  
    //v3.0..   
    eval(targ+".location='"+selObj.options[selObj.selectedIndex].value+"'");
    if (restore) selObj.selectedIndex=0;
  //-->
  @td  
  img{display: block;}
  @import url("p7tp/p7tp_01.css
  With 30419 being related to CVE-2010-3324, I assume the signature is firing due to some match variation of the fact that @import and the tags are showing up in a response from your web server. The toStaticHTML method should remove tags, but the vulnerability is causing that mechanism to fail.
  The oBot User-Agent caught my eye. Google returns several pages to the effect of oBot being a:
  "German spider from Cobion, now part of Internet Security Systems. Scans the web for their clients looking for copyright infringement."
  I'm not sure what benefit this search bot would receive from injecting Javascript into the response.
  I'll forward the capture data to our sig team to confirm whether this should be a legitimate match.
  Thank you,
  Blayne Dreier
  Cisco TAC Escalation Team
  **Please check out our Podcasts**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
  TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series