+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: Firefox cross-site scripting issue (/thread-2034.html)
Pages:
1
2
Firefox cross-site scripting issue - joelcc - 10-05-2020
I have a company testing our websites and they are reporting an issue with cross-site scripting with firefox 71.0. (Note: I also tested this with chrome and it does not have the same problem.)
It was tested with iw 15.2.15.
Here are the steps that they gave me to reproduce the issue.
-----------
[font="TypoPRO Open Sans", sans-serif]The "callback", "ajaxevent" and "ArowId" parameters found on https://server.domain.com/providers/IsProviderConnection.dll//$/callback can be modified to include executable JavaScript.
Browser used for testing: Firefox/71.0
Steps to reproduce:
1. Open Proof of Concept URL in specified browser.
2. The XSS injection will run and display a popup window.
Proof of Concept:
https://server.domain.com/providers/IsProviderConnection.dll//$/callback?callback=%22%3E%3Cwhscheck%3E%3cbody/onbeforescriptexecute%3dalert``%3e[/font]
RE: Firefox cross-site scripting issue - joelcc - 10-06-2020
FYI -- I installed 15.2.18 and the same issue exists.
RE: Firefox cross-site scripting issue - joelcc - 10-14-2020
I did a little more research on this. I tried to reproduce it using Stand Alone IW exe and found that it is not reproduceable with firefox and SA. I guess it is only a problem with IIS? I will try to put together a simple test case for IIS to help reproduce it.
RE: Firefox cross-site scripting issue - kudzu - 10-14-2020
Cross site scripting is controlled by headers which when using IIS can be altered using IIS configurations. When as SA, IntraWeb has complete control of the headers.
RE: Firefox cross-site scripting issue - zsleo - 10-14-2020
(10-14-2020, 04:44 PM)kudzu Wrote: Cross site scripting is controlled by headers which when using IIS can be altered using IIS configurations. When as SA, IntraWeb has complete control of the headers.How is this controlled with HSYS?
RE: Firefox cross-site scripting issue - Jose Nilton Pace - 10-14-2020
Please, read this: https://www.atozed.com/forums/thread-1302-post-4475.html#pid4475
RE: Firefox cross-site scripting issue - joelcc - 10-16-2020
On my earlier post i thought this cross site scripting issue was only with IIS, but I found out that the error also shows up in SA when using iw15.2.18. (My previous test for SA was with Iw14 whereas my IIS test was compiled with iw15 so it was not a good Apples to Apples test.)
Anyway, I have taken the iw15 NewCallBack demo and easily reproduced the issue.
Attached is the modified demo and instructions on how to reproduce the crossite scripting error in Firefox.
I appreciate your help in getting this fixed.
If is helps, the error also happens in the latest 81.0.2 version of Firefox.
RE: Firefox cross-site scripting issue - Alexandre Machado - 10-19-2020
This has been fixed in our code base.
Alternatively you can also use ServerController.OnParseParameter event to drop any parameter containing the offending code.
Kind regards,
RE: Firefox cross-site scripting issue - joelcc - 10-19-2020
Thanks. I will look for the next release.
RE: Firefox cross-site scripting issue - joelcc - 10-26-2020
I went ahead and added the following to my servercontroller
procedure TController.IWServerControllerBaseParseParameter(var AParam: string;
var AllowIt: Boolean; const Index: Integer);
begin
if ContainsText(AParam, 'onbeforescriptexecute') then
AllowIt := False;
end;
NOW they are coming back and saying that I also need to also check for onafterscriptexecute. (Can you also please add this one to your code base?)
I know I can add the following to the servercontroller, but it there a way to block everything and only allow what I need to pass through?
if ContainsText(AParam, 'onafterscriptexecute') then
AllowIt := False;