Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Reported security issue vulnerabilty
#1
We have a third party company that is reviewing our websites.

They have reported some security issues that they are requiring us to address.


---------------------
Here is their description of the problem:  Cross Site Scripting

The "callback", "ajaxevent" and "ArowId" parameters found on https://site.somewhere.com/iw/Isiw.dll//$/callback can be modified to include executable JavaScript.

Note: The request requires a valid 'IW_SessionID' value that can be obtained by going to the application (no authentication required)

----------------------------

It sounds to me that they think a user can grab a session_id from the site and then use it to do an ajax callback with some malicious code.

Do you have How do I mitigate this risk?

We are currently using iw 14.  Are there some changes in iw15 that would help?
Reply


Messages In This Thread
Reported security issue vulnerabilty - by joelcc - 05-20-2020, 05:16 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)