Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Firefox cross-site scripting issue
#1
I have a company testing our websites and they are reporting an issue with cross-site scripting with firefox 71.0.    (Note:  I also tested this with chrome and it does not have the same problem.)

It was tested with iw 15.2.15.

Here are the steps that they gave me to reproduce the issue.

-----------

[font="TypoPRO Open Sans", sans-serif]The "callback", "ajaxevent" and "ArowId" parameters found on https://server.domain.com/providers/IsPr...;/callback can be modified to include executable JavaScript.

Browser used for testing: Firefox/71.0

Steps to reproduce:

1. Open Proof of Concept URL in specified browser.
2. The XSS injection will run and display a popup window.

Proof of Concept:

https://server.domain.com/providers/IsPr...alert``%3e[/font]
Reply
#2
FYI -- I installed 15.2.18 and the same issue exists.
Reply
#3
I did a little more research on this. I tried to reproduce it using Stand Alone IW exe and found that it is not reproduceable with firefox and SA. I guess it is only a problem with IIS? I will try to put together a simple test case for IIS to help reproduce it.
Reply
#4
Cross site scripting is controlled by headers which when using IIS can be altered using IIS configurations. When as SA, IntraWeb has complete control of the headers.
Reply
#5
(10-14-2020, 04:44 PM)kudzu Wrote: Cross site scripting is controlled by headers which when using IIS can be altered using IIS configurations. When as SA, IntraWeb has complete control of the headers.
How is this controlled with HSYS?
Reply
#6
Please, read this: https://www.atozed.com/forums/thread-130...ml#pid4475
Reply
#7
On my earlier post i thought this cross site scripting issue was only with IIS, but I found out that the error also shows up in SA when using iw15.2.18.   (My previous test for SA was with Iw14 whereas my IIS test was compiled with iw15 so it was not a good Apples to Apples test.)

Anyway, I have taken the iw15 NewCallBack demo and easily reproduced the issue.

Attached is the modified demo and instructions on how to reproduce the crossite scripting error in Firefox.

I appreciate your help in getting this fixed.

If is helps, the error also happens in the latest 81.0.2 version of Firefox.


Attached Files
.zip   NewCallback_example cross site scripting.zip (Size: 53.37 KB / Downloads: 3)
.docx   reproduce the cross site Scripting issue.docx (Size: 16.42 KB / Downloads: 11)
Reply
#8
This has been fixed in our code base.

Alternatively you can also use ServerController.OnParseParameter event to drop any parameter containing the offending code.

Kind regards,
Reply
#9
Thanks. I will look for the next release.
Reply
#10
I went ahead and added the following to my servercontroller

procedure TController.IWServerControllerBaseParseParameter(var AParam: string;
var AllowIt: Boolean; const Index: Integer);
begin

if ContainsText(AParam, 'onbeforescriptexecute') then
AllowIt := False;

end;

NOW they are coming back and saying that I also need to also check for onafterscriptexecute. (Can you also please add this one to your code base?)

I know I can add the following to the servercontroller, but it there a way to block everything and only allow what I need to pass through?

if ContainsText(AParam, 'onafterscriptexecute') then
AllowIt := False;
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)