Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Reflected Cross-Site scripting (XSS)
#1
Hi all,
I'm trying to find a way to prevent XSS, for example if an user try to write some script in URL of the application.
There is a way to sanitize the input of the value of parameter, removing special characters like ', <, >, ( etc?
For example typing the URL followed by a code (http://127.0.0.1:88/$/StartCheck?<svg/onload=alert(1)>) someone can redirect or execute script in our application.
I'm using 14.2.12 Intraweb version and I tryied to do it in many ways but noone works.
Thanks in advance!
Reply
#2
Hi, noone can help me? I tryied in "IWServerControllerBaseParseParameter" but is not fired when I write the URL in browser ;(
Reply
#3
Can you explain in more detail please? When you reference:

http://127.0.0.1:88/%24/StartCheck?<svg/...lert(1)&gt;

1) Thats not really XSS. Alert(1) is not dangerous and does not rely on another site etc.

2) Are you saying this allows alert to run in any IW application? Or only your application?
Reply
#4
Hi,
1) a third party company that is reviewing a websites we developed reported some security issues that they are requiring us to address. One of this security issue is the problem described:
if the IW application can be reached on "http://127.0.0.1:88/$/", if we put the URL "http://127.0.0.1:88/" followed by the string "StartCheck?<svg/onload=alert(1)>" (http://127.0.0.1:88/$/StartCheck?<svg/onload=alert(1)>) a pop-up appear. This means that an user can put HTML/javascript code in the URL and execute this code. They have identified this problem as Reflected Cross-site Scripting (XSS).

2) I'm saying that in our IW application an alert can be run, I don't know if can be run in other IW application.
Reply
#5
(03-30-2022, 07:32 AM)MarcoRu Wrote: Hi,
1) a third party company that is reviewing a websites we developed reported some security issues that they are requiring us to address. One of this security issue is the problem described:
if the IW application can be reached on "http://127.0.0.1:88/$/", if we put the URL "http://127.0.0.1:88/" followed by the string "StartCheck?<svg/onload=alert(1)>" (http://127.0.0.1:88/$/StartCheck?<svg/onload=alert(1)>) a pop-up appear. This means that an user can put HTML/javascript code in the URL and execute this code. They have identified this problem as Reflected Cross-site Scripting (XSS).

2) I'm saying that in our IW application an alert can be run, I don't know if can be run in other IW application.

We had the same issue.  You probably should upgrade to iw15.   Below are some of the settings that we used and some code that will help you specific issue.

[img]data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAfQAAAFlCAYAAAAd7BpsAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAEYKSURBVHhe7Z09iDNBeuefuWA3sZ0seyx2ZFAPd7rGONYExsdhkCZRJMNhUKa+TMIwgWHCgTt4EymUMoExWImVjASXeBxIlx6mTxzTAkd3LCwb3NqJN5mrp7qqu7rV1ZJG3fpo/X8vzauurq9uqZ6Pqpp+6KsAPj4+1KeQYNj4Iup9LdQ5s+iJ82D41WgMvwKVJvPJ8+Br2KCvnlkglTc+X3z1KJWXSec38+lrO3kAACAlw/LkBF+jxtcwdXHRM2RNJPsOkFVZn800ZtFTcjImbG+/3CxUxhrI9oeWfqbrTdUn+2RUzuc9oR8a+qEm+hE/6/heDniujDjvRV8U3//u91Y1/g2VQK2/omDoU+vhgR7U0aI2NWt9enUH5Ki07salRliC+tMh+a04v/cuL2TQpHGQzPvwNKItX1rHdT88vFE9+KJxUxYCAIDDScgSPp5oJIVMNs12jybzJQs/eu1NpOx7Gjl2WbUPs/0W0WLVF1IyJmwv2JWbQckyViHbn8329jMkWZ8zcGlhCObac4f8CdFrP11SlFu4NHDCcvG97O+fpPZIorDK49CsM6WdJirGA2t19fnb/MM//AP9yZ/8iToDAIDb4nQZtiTvYU7tr7FQNyeyHdFTl2iaqRw1Bbb3Lbj9Fk0aQwpy+wnOSSkeOgAA3BdNavd8+jzI/S6Cc7eXhttXH8HVAA8dAHD3QIaBKgAPHQAAAKgAD7y7U30GAAAAwK3CU+6nooyCr6//+u/wP/7H//j/5v5P/+ktALdIcWvo/+O/0MP/+zuVAgAAN8J/+/ckFDrW0MHNU9ga+sNf/W/1CQAAbgfhoatPANw2hSl0DAoAwC0CZwRUhfN66L/4OQV/+XP1tp9vUkQdRXONfQIAHAScEVAVyvPQ//gPZFp0/MXvqQslwArVbEsef0CFvfcgUX+B9QIALk7SGdnS6Ml4pahxPOW9+xWAK6AUD73xZ39IX39O5Ik0TufDo98tVxH+6tf0ZLT38Ff/hybq0sn88lfkjH5NW9lGgfUCAC4OG+oxNeqvvoj3Cn8FQ2rwq035szhWVX8ROLh5SvDQf0odl2g0Siq+yV/H552/iD3pxR+rxIQX/Ic0/IVKp9+jRZQu8v+RSmbkLICZN4Ms71pNkQ9lP0SaPP8DWvylauOPf0rD6LOsZRez3v7P8C5jAG4U0xnJhd+x/jSikcceu0dLdR757eY5f468+/zALgAURfEe+i9+j55//lva/DI83eHnP6NHX3nRf/vP1PyPvPYslHb/J/RDe9ejf6Hn/8zprFh/n+hvVbo4Wv+o6mGFKmcB/okG3Jaod6UVrDxYeXO9P6NAlX/6+5/QWE/9R/1QhsbPf0KffyPOuU9/LtrUn2X/0iTrfWDvXV0BANwWLC8OZj2gTZs99rygKEvynA29Ks/+K+jQrHtglDUATqCcNfRf/ZZ89XGHX/2a3v6n+vzL34Y/8l/8lBz6XRprZcwer1CwLhsHZOTXsPKWBoAxC5A15c71Gu2t//FfaPsf1NS/2Q/mV/9CMzYMuE/mZ3kxRapeAMDtwvLiYBpDetkX3mz7KeRfGEJVeujOgNbrDQXqMgBlUbyH/st/peDnv0OdvGnwLLIUsrq0g8jrmd42AAB8k6M89EMx1t7D41JhTsE9UYKH/ht6+3uifj+5G7z3Fzm7w6UR8DN6Ta9X//I39E4Z6QL/v/8TefT7FPzZT1VKBql6G3/0O1T7X/9sNxQOJWW0yHrDjwCAG+MoDz2N4Xlv32e05g+1R3LXA/qxlMkAnI3iPXTBWihbuV6tp9DFMaY8Rfobao1+Tc6fx/m/5N91/ysN/iaZbm6Km/z1/6XgT/+Qgv/0E5WSJlnv6k9/S95f/0ZdOwJer5fLALxOz4aJqPdvfyuMlrDe6b+1TM0DAK4eHsPfotan6dCPpta7G1ftt2nSOBiS39Kb4sRhbp4DoCTwLncAwH2Dd7mDilCKhw4AALfCtz10AK6Mcna5AwDAjQBnBFQGnnI/FcRDx//4H//f8v+Ihw6qwINSxgAAAAC4YYrbFIcNJQCAGwUyDFSBwtbQAQAAAHA5oNABAACACgCFDgAAAFSA8yr0dLjB71BEHQAAAEDFKE+hL734tYd8eCW/2DgRf/iBnsoIQJxlTOykbWn0JPoAowOAG0SNX0OWlCpTACiQUhT6dvREDy2ihRFtaEFzKk+lc/zhGXUC3d6C3M2FghVu32lGPfFvRu8Y/wDcGDXqr5QcCYbUMKKmrfoIwQSumxIU+pbeZ0TDIBkusDmOz9+92OqNHPeEh/1EsTEslHWULvK/q2RGzgLovC49RuOtSeNx2Jo0LtL1Sq/aI09Z4t4ytsr39ycfjrhEnRdqu2uaQaMDUB3UbNxIyi+PlunZOfP8m/IDgFMoXqGzh7o2lWuK9YA2bWUBL3o0eeMBwB72hl6VJfwVdGjW5XRWtNLVD9PFMX5W9fCAkZdW1K81qd2bhFGPUlP7tf4qKvu1cGmgYxqufapPOU30odUl0p9z+7OP0JjpPNeo2e7RevZ+QBkAwM0Qya+8+ObflR8AnEY5a+iNOjnq4w6NIb3okeDUw3CD20/ySSlkPpwBrTnOsJy+NvJrxKBy5ICJB1VzrAZPex7WoRW7aSm3JkT+ZziwGh0Sejfsg/mZr9n6w9fykP1VdTXb1Ftj2h2ASmHKLxvflR8AnEjxCl0G9/+GIjPWqsIjxwIWeRcchzhro11zLMouqDeZh1Ni5to6r4mpbHs5pj8Knm5fs7EhB3JLDGlMuwNwl3xDfgBwKiV46E16GRINHI9Mdbv0kucJpBEwID0bHlF7Fv5uRrrA6a9oQa1w5ykrblO5s4WsZwm09y2QCjf8mI+1P7vGiqzTfaSanG5fU89YHuApfEy7A1BhDM87ki82+QFAyZQy5c7r1gF70HrKSRwtaudYqE0aC+/Zb8X5wz/7qlF/mkw3N8U1xwtyBw49vT9Sx2/FZdkrn/apVuvTq6s95gfqbtwDPXRbfzi9QzMnTndmHQp4A17W8gCm3QGoLkK+TA05F8sXm/wAoFwQnAUAcPdAhoEqUM6mOAAAAACcFSh0AAAAoAJAoQMAAAAV4OHj4+PkNXQAAAAAXBZsigMA3D2QYaAKYModAAAAqABQ6AAAAEAFgEIHAAAAKgAUOgAAAFABylPoMla58erDrEAq34Xf3Z6OO5yqf8kxi7/zusWi6wMA3DBL8hLjXpxHcs2IT6HlhjpkjIkUkCGgbEpR6NvREz3IWOVxoJIFze3BWU6l0aOe/0bRGBKD681vHB5ZLU3R9QEAbg4px2TUxJilJwWblGkyXoU2/IMNuVFgJo4x0Y3lh4CV+Rv1IENAqZSg0DnqGNEwSIYLbI7VecKSVRYupwnLdcQWrLqmx0k4qFS6tG63NOpyfOEw6MrTj43IVad2h6JQpcsfA3I7IkGRqOPhSQ200NKOLGnZL3FNhk7Kry95D6o+eQ+esObDdG8p+hl9Dosly2XdO6eF5eIJAu6n7jMA4FxwkKlkyOUlzSc9aivBVnvuUMP/DD3u5pg4RlOIQ3VDc7P8easHtHqpqxQAyqF4hc5Rx9YuPaqQpUmEcnKEcsyycIWC3rSVhbvo0eRNKG+h7LoDN/L0Fy6HKgwjsDVUvGE9SJz+q7CKf8gY6G/+kF6eZbJEDkxVx9fCpYGMaxhGRBInoRLtctz0FfVlzNW8+vgeNvSq6+Poa101jbb2qT7lNkT/W10i/Znv5aB7Z6NH3N+rKDNX15ZzmvReqZ/5PAEAF0OGSY3Dp0bIyIth2GZW5l2a0goDGJyBctbQdSzyNDJOeRxiVFq4EzUVb6STUw+tYh4wNKGW8mYjLz+TJrV7Ii8rzde+UIsGpmfcmhBpqzoKf+jQrDNNKU1LfXwPsk+qPnF9rQe1jr3O/Tc/87VD753hsKvq2nI+oZ52CQAAVw4b7ip8s5Ay77O1sNcdQ1YMyME6OiiJ4hW6tFqLigEuvGjpCbdpLhWosQklg+YLT4/FU2ISVuY8wILQM05OoXF3XfVpl8z6GDU7EHn90rMuktCYmC+TU3wAgCtCGumm88LLY29U55k+6QHUqL8y5ATLHpYdq5TDAUBBlOChN0noQRo4SeW79MS5VPYDkjPegu37jNa9tl0ZCmXsycVjVuwBDRs+fWpDIWuqS3jcqyzlqr1lgWwz/CgQA1DucdndxCLJqi91Dwdz5L2zMeG3WuQPX+zPBwBwRrShHZ7JMew+hspZzgKayhyA81PKlDuvWcs1Yj0tLY4WsfIK1639Vpjm8Pp4vJNkF6EEhWWg6jCmxYWifeXpcJEeborLgfO64QY6rqe7cZWHztY0a3NW2KJfvLaeMkKySd6DPA6aQjv23p+p02hQR1siAICzIjfT6mlyMWZ5y0tzvCAheHbGcOgorIUMieVC1p+uAVAmCM5yrfDf8b/VMT0HwBmADANVoJxNceBk5Ga49OY+AAAAwAIU+pXSHH8Zf9cKAAAA5AOFDgAAAFSAh4+Pj5PX0AEAAABwWbApDgBw90CGgSqAKXcAAACgAkChAwAAABUACh0AAACoAFDox8Cvd0RgBQCAgt8md/E3wuXIpavoHzgb5Sl0ftOZegWiPOIA38dxqhK9dHkAwG3BY96UXfJ42o31IODgTuuNiipxiqwoSc4k+ncLHPocEt+R+d3wK711uvkqbzNdHJE+suW/TUpR6PIdyDLoSRxpaEEqVCgAAFw7OxEVLUFXjFDHMpjTtb2q2exfZdjSqGtE0OQ4HN3QCFiG0bZkuownohX3ch6lf3GgL/9NGgHW/DdKCQqdYwATDYNklLIolnnCslIWkbLKRp5ODwMhhF9cHBxBTh1lWWaHlvc8kc8j7ymdj6sQRohKiy2+VHkVCOZ9px0AwF0g5Y/pERoR2JQc2lrlkcqj0qxyxiandP1chEmcb+hHlH9P/zhZ9kN7pKJ90d6yoOvhfatrMp/ul84vyExPPYf4JvJx6lHALTPcdO25Qw3/M+xvc2y8eTOgzdqlx1pO/huleIW+faeZfFjqPMGSPGdAbpZFJL7ETVtZUIseTd74h1Oj/lTFEBbpq34gym/oVVpZ4gg6NFOW2UHlX+oin0/1qZGvFf6YOEKcTJPpwuKTcU6zyme1AwCoFEqpaIWaF1HRqTfIj+I6KzLlBMu/LPl1uJyyYuQPOHy1louCqH8yhHMYdpqjw7k9UqFghYKjOjmnXueP0X2zA2eT97b0tLy3zXWIfKtX2ujIdo7w1qcZMyNGf0PY8OAyc2pnhdneyX97lLOGngj6b7D9JF98WS+mRaSng4z02OJKweUpDJsafpFszakv4JDyjBEbXU5HiRrlWDQtxtaExAjIHsCHtgMAuF2UUpEKlQ89lc7T6qnpd5ZjNHtPyossOZEnv9Jkyak8TWPkl3LVqDfuH3vrobwLNi61heHgs0bmfsm47qdeF5j3zenGeSTvbenh6UHEU+UBDRtr5YDtgw0BLtOmeWIWozoUr9CllTOj97IeVnqgZVlaxxIIZc5Wnl6TESYuFDUA4CBqzyR8bXo/xLUrQ37tQ/dPyGRhW9AmWNLcZ49bpPtCkQYbctW886nXz4Jwvt58bRCwko7XxBNIwyHLuWTDZC3uQ51qrPlvhxI89Ca98JSPk5wiWnriXCr7AWljiqdt1r32/h+0tjZT5Q/GZgUv5zRhy5a/QcPClf0KP4bYygMA7gs5k5f27mr06AoF8alObeyTX4fIKSPPjpxS7MpV1T9RUHrrb2/kd55Fao34dD4nqistdur1BDZ5v08P7JO36ecYLfMa+wVksqhXzRxsR57xnfHaeUP02Z7/ZhFW4slwgJc0wbDB74iPj95CX/gS3q9K733JVE5rDL+E5RqSOl/0wvyNoUhJlBcH5zu0fK+XLKvbN/JE+Wzlc9oBANwmCRmWljHyaHyx+Amvqc8mi56QRY1QHuTJo3TdRr5D5JQpVyN5lFNnBPdPyuDFV8/sv+y3mf+E6+n7ZhJ9i+/Dmi5IyHsbifLm98H9y6iX+xml05dWR9b8N8p9BWdh67pLNL22Py0BAFyU02UY/z2zZbPVsZQipwrsH7haytkUBwAAd0W8Yew6ufb+ZcFGiNpAmDiquaGtCBA+FQBw90CGgSoADx0AAACoAA+8GUR9BgAAAMCNgil3AMDdAxkGqgCm3AEAAIAKAIUOAAAAVAAodAAAAKACXLdC5xcs5EQ5unpuvf8AAABuhvIU+tJLvgwgCgh8IvuUZNZ1My19/Qilm4yZfkS8XgDAjaBDbO4eGO/g2ilFoUvFJ6PbxVGFFnRceDwrHL7wAq9u5XtyZh0jUtKC3IGDQQ5ApdAhNsXBUReN6Gj2+NwAXAclKPQtvc+IhkHyncHNsTpnjziyeo2IbLZ0jfT4n2i0THnbUZlDXgcorO8uxyAekCPKPI2WyXPPE3V75BkWejixsKQfA3FPiSD6TRqLAS/jDCsvf+Sly2lCqz9O41ca4vWFANwUiXEuZJQ6j4axeX60bALgdIpX6FEoO3WeQCgyZ0CuDEz/RcHQp5bUcrZ0BQ8O6fGvqB+F6eMyG3pV1vNX0KFZVw0mpaC1cn0QdYdhBoX1PY2t7lW/mTx/qYuyPtWnqs5FjyYtHrgcJzcOrxohw/ipUH+izU3bKPdmTuOLdl9Fmo7Tx+EQe68Egx+AGyMa53lBTnJkEwAlUs4aui1IvFSMOjC9UHPPHWpM5kphZqTzCStnOThSA4jL0IRaptLWytWYJgsHlFDastABmIq72aaeaOUzNzivwug/OfXd9rgudU/L+YR6bbs4AABcKeY4t5EnmwAokeIVuvRaZ/RelDkqBtAi7bFr0oq7rNCAjuWepCFiMV520MH0Obh+j6DPAagw55JNABiU4KE36WVINHCS6+BLT5xLZT+gH+rC9n1G616bmrb08JSc/ooW1EpuQEuVOYq0tWyznnlqXHrs6p4S02bhMgF1ng/eoNcUlfitFvnDFwxuAKqAITuk3OIPp8gmAE6glCn3mlDAch1cTzmJo0WsoMONZH4rTHMGLi3GrNps6THNsdpV/mOjUxJl5GFuULFR69Or8JS5b9JAMM+5bp7i1/Xxur3aUS/vqTMz1ublov5xO19rz9RpNIQNgMVzAG4eITumhpzrbly11PZN2QTAiSA4iwlvvusSTcv6szjeqf9Wp+ACf3YHALCD4CygCpSzKQ5kIjfDvUKZAwAAKB546ACAuwcyDFQBeOgAAABABXj4+Pg42UMHAAAAwGXBlDsA4O6BDANVAFPuAAAAQAWAQgcAAAAqABQ6AAAAUAGuW6GnwxMCAAAAIJPyFLqMX268+jAruMp3OETJJ2IRq1e8AgDAXrY0ejLkFuQIuCFKUejb0VP4HvQo0tAXLUiFQz2VWp9Wua9O5aApM+oEuu0FuRsELgQAHEKN+islOzjsshE17ai4DQBcgBIU+pbeZ0TDIBkusDlW5wnv2YjIZkvXSI//iUZLw0NPlBHXIgPapcdo7DVprAO9WPMLIyBKfyBvZLTBcDk+V/+PPM6n+mitEwBQKdLjX8sFdTmSE/oz5AI4M8Ur9O07zdamQjUJQ466i9DilRHZ5FS8LV3Bg0N6/CvqR8HHucyGXpX1/BV0aCbDm4Zxx2UEpMQ0vy0/T7GFkdNkujjGz6pIFusBbdqcjw0UW50AgEqSGP82IBfAZShnDb1Rp0jvmmw/yW8M6UWNhNpzhxqTubB0Lel8wuFM5eBIDSAuQ0px8yEMgrWKTdwcq4HUnofXWLHb8rMBQnHbezH6mdcHAEAFMce/DcgFcCGKV+gyuP+M3osyR8UAWqQ9do24pte3wiOl9JtjkbagnjYO9uX/DmXUCQC4bSAXwAUowUNv0suQaOAk18GXnjiXyn5AP9SF7fuM1r02NW3p4Sk5/RUtqJXcZZoqE8HT84npevb+6+TY8teeqUMZ6YZFLfujPiew1QkAuA+y5ATkArgQpUy514QCluvgespJHC1iBd2kcTAkvxWmOQOXFnLDmi09pjlekDtw6OnHRqckysiDN6SwgvZbcRrveJ/yrnhLft7VOk2me0Gfpkb/uxuXGqrVJLY6AQCVp2aTE5AL4DIgOAsA4O6BDANVoJxNcQAAAAA4K1DoAAAAQAWAQgcAAAAqwMPHx8fJa+gAAAAAuCzYFAcAuHsgw0AVwJQ7AAAAUAGg0AEAAIAKAIUOAAAAVIDzK/R0yEEAALhRtqOn5CupL0GOTL2K/p1AZv9lKO3wDXzyLd/QKRHFK3R+uPp1h9GRETu4CDLail7jXlR7+LEAcF9kyrDsmOa1R5fWG/U291NkRUlyJtG/WyD1HHb7vySv5dMw+KIvfr3uG2SzSTkeelakoVqfVit+p3rBmG2p9ydLpV5WewCA6rMjw1bUzxImzXYczfEaZY7Zv1sk3X8ZmtalR37IkPE7nG/KPcsCTVjCsQXM0yyRZXyM1cpfsLbadHvq/5HH9akIcJZ2pfUXpbNhsKVRl2MZD8gR53LqJ1HWqC/Rhij3ZMwWyHqzLXwAwA0hx785lpvU7k1ozmNdyYGkzNGyJMydLXtScsbzRHmPPCFDEuV1/VyESZxv6EeUf0//OFn2Q8kvKa9Ss6gnXLfLWp1fkJmeeg7yJoz+i1wex5Y3Y81H969I1Bs/h2/rlBujHIWuvpDoAZpfZAR/ORt6jbzrDs264kGLL6TL0dZU+sKNwxMehAxdmCoj+rNpc30ck9jSrvxRtkg0HKaLY9wMI7E1lLW+6gfyB+WqPDKinB6piTZEudceTcJfobjVOU16r9kWPgDg+kjLsBwl4NQb5H+mrkbyQBwLIQvk1LBN9qTkzEtdlPepPjXKt7JkqIGRX/g0NJD1hkT9M2Qjh3p1e6QUZSDMAR1i+oTr/HFH1mbJS1t6Wt6GAjN+vmEUO32dZ2STUTBL0ik3xPmm3NWlCDl1YlhabHnxj4V/NDI9/AE3xxllj0X050VXYmt3+04zMvJlIWOrx3lqzx1q6Okgsw3GmCpazifUa598FwCAc5GWYXpql2cBU9PvLAdo9p5U+KY8cOqh4rHJHpkpRaNDz7oNliWi5GeeFjLyS7lk1Bv3j71dUY/oaLBxqS0MB581MvfLfRT3d+p1QVrWZslLW3p4ukPm882C6z2XTrlSzjflnkV60EjFL6ww+blNc/nF7LFM08gfi7IWbWS2WzR6qmhJ80mPoM8BqCi1ZxK+IL0f4vadRfak0P0TGlHYFrQJhEzy2eMW6b5QpMGGXCWgTr1eCkb/91KGTrkhLqfQ5fTNgH6kn+x2RJ5aOxl/BTRshBbhYaipnNecjRK2duWPJiOd0dZuqixPO617beuAbL7wJr0W+cOX8gctAKB85Bptej9MjR7dNW0+1akNm+zR2Lx1XrJjD5y9FCOPlD/qs8muXFL9EwWlt/v2Rn7nWaTWiE/nc6K68oBOvZ7AJi/3ydGd5xD3Pxfb8z1Jp9wWF/TQw/UQ3pUup0f44HUq8aXQwFFpDs060/y1Z/EFxmtdb1QPeO1bXcvE0q740fD6jZkeLuv06VV42jyN8zRyEmUdXpfJa4yNhEaDOtHcGQDgJkjIFT7SSjxJs92jyWymzmzYZI/AlDM/Nsn2eWsPT/mLPFNeb1bp3Y0bryEb+Z1Zh4KUXJL94+lxlq/CCtAyiU8nwtuORNSp1xMk7zeWl7Z0QULexg886n8uBemUGwbBWcqEX4DwVqcAf1oBwFVzugxbkvcwp3YRU+g8C9AlmhYqNwrs30W49f6fh8uuoR8Mf5mG1RUd+VbzpZGb4fKm/wEAFSHeMHadXHv/9nHr/T8P8NABAHcPZBioAjfioQMAAAAgj4ePj4+TPXQAAAAAXBZMuQMA7h7IMFAFMOUOAAAAVAAodAAAAKACQKEDAAAAFQAKvWz4JRFZkZps6QAAAMA3KF6hy3cd6xe/WF6Cn8ijjwJfElOEsiy7jwCAK4TDKKfHfXiYryIF4BopXqFzeMFAx6zNeU3fTlScZEjCq+AW+ggAKJAa9VdqvEdyLDzX8bkBuFbOMuW+HT3Flm6e56w865HHeYV3nz7XeSKr2UhL58siqyyTSBfHwX0MDxnERV4y7jPhzW/oR2T1Z3j5ifYxCwDAVZKWM+o8Gq7mOcY0uADlK3Txw+5yNB1l5S5cFRovHc1IDwSRvmlzXuXdJ85VeNRFWFfAkYe0Nk2X28FWNpkurfKwwAF9FMeiR5O3ML3WX4VpMt2lgY7jt/apPg3TRfU06BpCQLa/oVddLujQLHEdAHA17JUzDMY0uAzlK/TaI7nE4fBCj7g5VgMhPZ2tIwuJ9BdzpJjn20/yjXOOzduYzGW9O+XS2Mqm0hOI9L19dOqxAWBa5a0Jkf8ZDmKOZaxm62S7Zrxfbl8+H1VOGBdrW1xkAMBl2SdnGIxpcCHOMOXepLFUiG2ayx94zpT4JQg2HN73dFiZOzPqBEr5m57+PtKGQ671DwC4ejCmwQU4y5S7JxeQWLEHNGz49PldU5W9/fWA9Ez29n1G6177sIFiK9tsU289o/ci5sMMT1zWH35MsNPnVL8AADeE4XlHYx5jGlyI4hW69FR5ionXn4U3Ln7cNHDCqacHh2adKfUdkU9eV1NS8nii0V5FL4wC4fn6rbCMw2vzY4s6T9TPswK2siKd17sdlZf7HtZwXB9rfXp14/zdjZu5Fu/MOhQk+pzslzzMjTYAgOtEjPkp78VR4zYe8xjT4DIgOEuapUcP8zZ92QwFAEDlQHAWUAXOsIZ+/SyNP0F7aBFZvX4AAADgSoFCFzTH2LwCAADgtoFCBwAAACrAw8fHx8lr6AAAAAC4LNgUBwC4eyDDQBXAlDsAAABQAaDQAQAAgAoAhQ4AAABUgOtT6Pymue++VemUslUEzwMAAO6G4hX6DSiRZNzyB3o6JFjxIffFeaJ69wShgbIF4AZYkpcYp+L80DEOwJm5uyl3VubyferRi2QW5A6cw5T6Pmp9WnGUNRlpCS+oAeCWCQ3/Fk3UObP0+FWSoewI+D3uHlQ6uB7Op9Ct3qtp8T6Q966SGX6vOgdEYV2bKK/SGDPdDKySyZJ+DIiGUxXXXBIGUqDZO23TXnN0vqVRVwecOdCjZ1T5kfFq2XD8Z9SXdX+J8uKZyTzpZxeeJ2cdjOcDAPgWtf4qFQZ5SfNJj9rKUq89d6jhfxreOwCX5UwKXSgeoWzdHctWKLan2OLlY/wclpDKTF5aUb/G5Tf0qvJ8BR2adVnRJuvdG4N8+0m+EeI0QoY7jMMg7lKj/lR73l+06qcryEEo7U1b9W/Ro8kb9ztdX2C5P7O88Pg5oltvQnOt0ZdzmqhQrFL46PIcPQ6xGwEol71yA4Dzch6FLhXpkF5My3YyFx7nO80oTo9gz1UqODVtzeVpEoUplJ44D6RUvVeJ2T+nnm1w2O6Pr6Xur9kWRoHS6Mu5T0N90fTwWxMieA4AAHBXXOcaulBii/T6lEiL172Vx6ouHYy0qGf0ntZ00jCoE4dpvxiH3l/zhYa+MIZ4+s9Xsw2szJ0ZdQJVdt9MBQDgdK5BbgBgcB6FLhXpgPQs8PZ9RmueKq49U4fidBOnv6IFtcL15VT5iJSClvWGHy006WVINNDT2ZJw2p46z+G6ujGFtlNf0dNruj7b/WVSo+eOT3NvTr7uM2MsJex/DgCA42lS21jykuPMfYzHIAAXphyFzlPmevpXbtoKN575rTDNGbgUxhwP15J1Oh/mprjmWO9AdxLl5SE3q4l6eb3YCdO6G3evZ8przUFnZvQvXMOX6+K1Pk15ZkBdS9Sn1q/5mnVTnPSU9WY3c/NaBon6bPeXDS9Z+BOiV72Wz3W58TM/5DkAAPKRG02j8RxuaGWZJAatHGexHAPgOkBwFgDA3QMZBqrAda6hnwz/OZfh7UZHUX/OVXb9AAAAwHHAQwcA3D2QYaAKVNRDBwAAAO6Lh4+Pj5M9dAAAAABcFky5AwDuHsgwUAUw5Q4AAABUACh0AAAAoAJAoQMAAAAVAAodAABs8Nsf9VsbZTjn8J0TYbBI49p3OLV8mqLrO4Qy7oGf8bnvoyIUr9Av8aNiDmk3K49O0z+k6EjFXMcPDIC7g9/XHsZ5WJLX8mnIAZD4Nc0yDPJpyLrdDXULki1xX0vgTDJQ3kOvd75XV+fd1w3KfXjoJmbEM45J7ux5HzsAoNIEG9aRQkXKEMcuPbK2rPVpteqfrDhl3S/jQupior6WQUH3vA95D+26OrswZ7rnIjmfQk94wIaiTKSLQ1tEWfnTFlN0vqVRNw6iYA2ecgwcAU19BADcI0uaT1iJhxEZ1xQGU0rIKU1CXsWzezLAS2YZVTcpGSZlmUfek67DnNaP072lkHXR57CmELM+Wz0jGnmcZshTlSeZZjoy/Jprca7Ky/6b5eRzUSTqU89AlTPb3ftMzHi0iTqNfiXSjXqy8qs+RO1E53v0hs5nlpf1637wd6GfTcYzvwBnUujhgHAXofcbRLHOk+lxHG9bfhth1LaG8rBl5LRTWc5pgljHANwvLAM4zLOKFqnlSyynNCyvNvTK1+T1Ds04RLMQ9F2OyKbSF64Rfjmq22DtU32q6lj0aNJSikOny7Qukf5sTvub9VnrGdCmzeljkc8iY1UUSB0idrefeTI74xnwJbPdo56JTQ/k9aEEvSHDW4f95CUBt0fq+QS0IaUjbM/8zJxHofN0lXhoL+qb4vCfjclcWDbJ9Ahb/vC0PJSlJq2stzoFNzbdAgAojuV8Qr12WjhlIKfjDe9dKJU1KwA5y8fpoXBvjlmRhmTW3ehQNGPebFNP1PrJWkSnO3WhfIzPnE+RqM9ajyFrc2Rssy0UktLoy7lPQ1NA58nsrGfA18z8xzwTWx/z+mC5p9PgOPjiGQrrJNi41H6pk8/Ph9vT8fCznnnK4T8Hl11DDzbxdM01IH4MkQWuf4wAgDtkS59+g+qHTtFp2REdrKiEZy8/t2kuFZ322o6sey8F19d8oaHPinBJc99QVPvIfAZpCngmF9Abwn6iTcDPQ3jktWfq8PMR/XAPMfjOyHkUupyyGNAPZSrxtMWap1bYklnP6D1tydjy84mhaGW6+izZp4Rlvcn2ZB3aytLwZogFRVYkAODO2L7TjA5UZil5FbEdkSfXZVmJBTRsKK/tkLp5+pm9vkMUXF59tnryZKyQhs8dn+benPz0rvmUDI1ksO0ZpDnmmdj6WKbe4PXwDLnP3j69vannwc+HaD6nbANEP/NDfjsFU45CFw81mrqWDydcg/JbYZrDayhjfswifeHSwFF5eZpGVmDJLxTtlNdFVN3djRtPO6m1H75m3xTH9fLuddUe1z3rUCD7kqI5DtdgeHMHf9s79wQAqCos9A//E7CkvJIHb6ISCkYIN5Xm0KwzJV6mtdZtypgW0eLAJb+d+g6qxyaTQ1iB+ROi15115aTMjmWw5RnIawZHPRNbH5N9KF9vCLjfohH9VwR8OhHeeqS0v/ndFc11BWfhFzfM2/SVpWABAKAk0jJs6T3QvP1FZYiizLrZM+T9bt9QBIn6Tqjnkpz0vC+tN67omV92DV3AX6S0arRlU8iXsiRP15k4jJfFAABAJvznUz0qZ3m06LrL7Ou5OP4eytEbtw/CpwIA7h7IMFAFLu6hAwAAAOB0Hj4+Pk720AEAAABwWTDlDgC4eyDDQBXAlDsAAABQAaDQAQAAgAoAhQ4AAABUACj0MuAXDWS9JQkAAL5DUTIFsqnSFK/Q+QfDf+yfClsnXwTwnR9SYT/AOI5w+igkfvqxYGABcB+UPdYhS4CiHA+90aOe/xa/lU384N78RiLc3/mpUX+logAFcQxcPi8kfjoAAABwQUqacq9Tu0M0U+Fwlj8G5HZEgmI7ejI85Ph1rIl0aXEKr7rLcXXDF99LT5qt0XRZZaGO5OsAvxk4xVqvR57y7L1l7OXLCYjU9SjdIPteD7wvAMD52TfuZZbLyLB345WnYV9S9Xve3r6D6lLaGrrTfyV38IOW4of65g/p5VldENT6KxUvVxwcNYfj3Yl8XY6Oo9IXLoe0E171NPamV/2APGdDr7osR07rqqkm8YPetDk9KwbvPpY59fpUn4q0RY8mLX4Dv/r8lrrO5WSe5GDMvNdj7gsAcH72jPuLyLDoujiivqTqf6nvl1mgspS4Ka5JbQ5L5wjv/DUVhca0UFsTIv9Thhp0icPYhQqxOc74UW8/yZd5VFkOm6dj2Yof9Mt338+fW6+Ka+vUxaAxPvM1xox7y3F6RU2fUXBdQda9qksRee0DAM7PvnF/CRlmXjf7kmZf30FlKVGhix/0i7AchYpLRNHhgeDMqBMoS5PXs+WFJo2l1dqmufyxW6adlCUqy8rjOx55BmXUa73XDMq6LwBAsVyrDAN3T6kKnYPHr7J+rIZXy4HtZXB6MUg8uZjEgyKgYUN4utqV1RYsW8DrAclZ6yIpqt7lnCZ8b446Z7LuVVP2fQEAyuEcMowNh5z19ASY0QOCchV6FkLJv7rhBg6ecupu3NC6FT90GjjhNNSDQ7POlOTmc87PU/ci/Wnk0FhYw34rLCuPQv5cQwzA79YrBqe+FxmX1wxyb7tX5iz3BQAonGuTYWb9PzYqEdwjCM5yCmxB854TU4kDAG4OBGcBVeD8HvpZWJKnrd/EgT8HAwAAUE3goQMA7h7IMFAFKuqhAwAAAPfFw8fHx8keOgAAAAAuC6bcAQB3D2QYqAKYcgcAAAAqABQ6AAAAUAGg0AEAAIAKAIUOAAAAVIDiFbp8/7D5MpcD30VswnXg1acAgEuRkGPGC6mKSgegBMrx0M1oQguiFpQzAOBm2NKoa0RT43jnMmZ5UekAlEP5U+4cI1xHAkpYq8pz5zSh8EeeTuNBwDGCw+AHTzBpAQCXxBZLvKh0AAqidIW+Hb3RpFEnh9+v7gzIXYTWajD0qeWpyXihvDdtTudQqzXqT4fUUF7+SoYrAgCAcyFk0OqVNo5yPjj2+ZQDMBWVDkA5lKPQjZCizqxDAUcj236SL5T0iwqOXnvuUGMyD710Ix0AAC7N0uNYyOxkcFzzNQ1UAPOi0gEog/LX0BFaFABwS2xH9OZrJ4O9bKGM/TcaLQtKxyoiKIny19A1tUdyheeuDdTt+4zWvTZZHXO97g4AAOckJauEsKLZ2qXHZkHp8HBASZxPoQvVPQ6G5LfUVPzApcXYos5rfXrtTagl8mFTHADgvCRllVz7Dnh/T1HpAJQDgrMAAO4eyDBQBc7ooQMAAACgLKDQAQAAgAoAhQ4AAABUgIePj4+T19ABAAAAcFmwKQ4AcPdAhoEqgCl3AAAAoAJAoQMAAAAVAAodAAAAqABQ6AAAAEAFKEehJ+KeF/T6VhU3vZgXwW5p9BT3zzyePK/Adg6k0HsDAJyMVYYtyYvSvTBaJABXQgkKneOe8zuLVbS1rwW5mwLCrNT6tCoschtHPlL9C+LY63y+Go8LbAcAcJMEG3Jl2FMlwwZdGSUtDof6RcHQp5YHlQ6uh5Km3M2IQk0a6yAsCav3KQojuB09qTRxKE91J830YhP1KCtZXR95Ov2BvjXWdDvyf4885cl7y9irj+pN9CO+n7z+6Szxuai3O6D1Oowhj2A0AFwBzTHFsaMcqjf4/yXNJz1qq/Tac4ca/mc8pgG4MCUo9Ca1VaS0h4RGZc99Q6/KE/4KOjTrhoqzy5HXVPrC3VCQlaZqCesZRNZzwkoWSnHTVvUvejR5MxTod1j7VJ+qulpdIv1Z1mu5n7z+ZVKj/jSeJVj1MTcAwFXBYU+pQ8/poSnDrCLMM7geSvHQm2Ol5Nrz0Etlhbb9JJ+UoudDKL01DwYeFDI99GSb4zE1s9JkzQKuRyi/F9NKnsxlPjLSyamTNKpPoaEGMddlfuZrtvvJ6x8A4MZQS4hTLMOB66ekKXdFcywU+4J6hsLVa9XhoWIGy89tmkvlyEo8K+0KybwfAEA1EMr84Y3qwYoyJ86k8V4nR50CcGmKV+i8NmxOMesfvZyeGtCPtGYW+T25bsxKPKBhw6fPZUaantdK1bN9n9G61z6/IrXdT17/jOk5ma4+SzB1B8D1wHJsR5mHy4lzc2y7j/DcwdVQvEKvPVPHb4XT0HIqWk9XCeUcDMlvqXQ+eFOYUIA0cFSaQ7POlPrNjLTIDE7W4/Bae7x75YxY7sfWv1qfpryervJ2N268JCCuvap9B9gUB8DlCQ3utRBD8fjmsdkcL0gM1OTYBuBKQHAWAMDdAxkGqkC5a+hXAa+DxVZ2fBh/ZgYAAADcOHeg0Hkd3ty4pg/LRhcAAADgBrkDhQ4AAABUn4ePj4+T19ABAAAAcFmwKQ4AcPdAhoEqgCl3AAAAoAJAoQMAAAAVAAodAAAAqABQ6AAAYINfAWuGPc7ikDx5nFo+TdH1HUIV7qEClKPQ+cswXuJSyOtMC/2C49jm6ePJ865zMGTl0Wmp570Tm/3c9wNAReBXwJK7oW5ifPHh0bKgsRW1UdA4lfV1nst5x/yZ5El0DynZdjldchs6owSFrsINBvoFLgvxWy0g7EitT6tVUSEMa9Rfqf4FcSxyPl+NxwW2c0bMyG8cm9250gh1ANwQwUbolXY9O7JiQTJJtvFSnNyR9e0Eby+IQuWwnfAegivSJbehM0qacnfpMbq7Jo11AIOEtRV7kdvRU2zxKKtjJ820SBL1KMWlro88nf5AZtC3g9HtyP898pRV5i1jCy2qN9GPlFccpSf7F1lU0bmot8ux1AfkiPyFWKAc8U19BAB8lyXNJ0KW2eKjpsc0Y5EJWTIuRLVBqi5ZZyx3+JDyJpWeKY8kZn22erScNGSTypNMM50CfoW2OFflZf/Nco6QYTKfIFGfegaqnNnu3mcidcgN6BJdn/z/sjqjBIUehhiUUcUST4E99w29KqtGepHd8CF0OWqRSl+4Gwqy0lQtYT0DchfhtYAjmOl2xA1u2qr+RY8mb8bD+A5rn+pTVVerS6Q/y3ot95PXv0yE5TeNLb5VEe+jXc5pgjjNAJwGj6Mo9HEoPEOBawjdBEfIOFUi0YZGyx3OL2WPaitXHikSfbbVo+XkWOSzyCsVAVKHit3tZ7Kc9Fqj9Cy5KDDbPeiZ3KAuubDOKMVDb45Vh9vz8MfPneO46KS+HD7EDaw5Brj0Jjk9/LE1xzyVlZEmaxbI+OpDelEJtecONSZzmY+nxXQ6OfU4POl3aXRIzlxxXeZnvma7n7z+lYkpcN7qFFzJFBAAt8pyPqFeWw1kJTylXJOHIZM0x8i4sESyDY2WNUyzTT1R6ydroTx5pEj22VaPISdz5FWzLRSR0ujLuU/DqJAgVS7C9gz4mpn/wGdyc7ok7zuy9TuvH0dS0pS7ojkWX8aCesZD2h0UOnhKm+byRvnBZ6VdIZn3cyF0X9hS1gMIAPBNtvTpN6h+7DTXwTKO+WYbVgqur/lCQ59l95LmvmEc7OMguXjkM6mKLilZZxSv0LcjejKnC6T1USeHLSXhRf5IP02R35NrAPzgAxo2hBW5zEjTGipVD++GXKenrM6B7X7y+mcoWpmuPkv2KWFZ74zejXkfWYf7mPTEecPHgiKLFADwDbbvNKMjlBhzjIzj00Pa4Oln9vQOUdJ59dnqyZWnNXru+DT35uSnd82n5FEkz2zPIM0hz6RqusTW77x+HKoz+FkJmV+8Qq89U8dvCUuIrSFx8C7FKU//igcqvEe/pdL54AV+cTM0cFSaQ7POlPrNjLToh5isx+H1Eb1R4qxY7sfWP6Fop7w2ovJ2N248jaPWq/iafVMc19uhmRO358w6FGTdu7Bm5ToMb7rgb1z8WOL1Pyh6APbBwvP4P/06QsaJiq1tmOO1RbQ4cPlsp76D6smXpzz960+IXnf29ohyC1fcVlgulmeWZyCvGRzyTCqnS2zPxtKPb+gMBGcBANw9aRm29B5o3v6iMuV7ZhvsafFeqm/sgUnUd0I9l+Qcz73KlLuGfhUsyVMWTvIw/mTgqri1/gJQNfjPpnqU3qtWLEW3cY4+l00V7uGywEMHANw9kGGgCtyBhw4AAABUn4ePj4+TPXQAAAAAXBZMuQMA7h7IMFAFMOUOAAAAVAAodAAAAKACQKEDAAAAFQAK/Rj4ZQ1Zbz0CAAAALkw5Cl2+VzZ+KUohMb5PVaZLz3hJizhyw9MdAZQ8ABUijmGdPgqRYwCUSAkKnWO7zqgT6GgyC3I3uWFHDoODjnzzNYYywD2/y1j2JzwW9L3wdDuc0C8AwLVRo/5KyYkgjjnN52bcaQCukZKm3F16jH77TRrrF/MmPPf4VaZS4ep05e3upJmecKIeFWxEXR95Ov2BQid8S/y+/2GQDFMXxcXNqouxpWukxy/uYWnrV/79AQBujISMETJBnUfj2Ty3yAIAyqQEhd6ktooCk5zWZs99Q6/K2v3iyGFd8eMXP/wuR5dR6Qt3Q0FWmqolrGdA7iK8JqOK6XbWA9q0Vf2LHk3euP53mq1NA8PEVldOGwwPVunxr4zIPUfcnyoBALgxIhmTF8faIgvUVQDKohQPvTlWP+T2PLRQWRlyLFtSip4PoTDXHM+VY8HK9NALlp5zVpqsWSBj4g7pRSVweL+GEfRep5NTj0PNcQxd9TGBra68NjgkoRysqQF9zP2FJQAAt4YpY2zYZIG6DEBZlDTlrmiOhWJfUM9QuHo9KjxYuTVpLD+3aS4HACu+rLRvwgrVCMR/MuIeFmmPXXPw/QEAKk2mLACgXIpX6DwdnZieZm9XeMhSsQ7oR1qbifyeXGBixRfQsOHT5zIjTZu3qXo4IP66184ZLE16GXKM+6QiXXri3FbXnjac/ooW1Eruej3m/ooyLgAAl8XwvKWc4A82WQBAyRSv0GvP1PFb4VSTnG6aUWfKu8CFQguG5LdUOh+8gUT8+IW2VWkOzTpT6jcz0qI582Q9Dq9P74mGXxMKWK6D63bF0SJW0La69rfRHC/IFX18+rHRKYffHzbLAnD71Po0NeRKd+OqZT6LLJDXACgPBGcBANw9kGGgCpS7hg4AAACAswCFDgAAAFQAKHQAAACgAjx8fHycvIYOAAAAgMuCTXEAgLsHMgxUAUy5AwAAABUACh0AAACoAFDoAAAAQAU4n0LnV8LibUm3A74vAA4DYwVcCeUodP6B61ceiiPxzvMiKaudvAF6yOBN9Ss8CoyJnFF/VqyYHQ7tO4QTuGcyxy+CKoHrpwSFzrGAZ9QJdJShBbmbMgIHlthOrU+rFb9//gR2oi2tin2Hu1m/em/0QUp9H0XcOwC3DqKlgRukpCl3lx4jjdCksRHY5N2Lrd5IASUsYmUJm56ivK4t5C2NnvRnSzuJ+kzPWBgBUbpof2S0weg2U/+PZJ+5TdF2l2MbD8gR5Z9GS9EXU5Fy/aI9m12Rrm+nfpUn6qORls5nwkqYlfqb+bx0Hfr+033fimxPKo+RT7UVPRNBIl/qGgD3ROaYMcgcK5njEYDiKUGhN6ndU8H90y6jUCabtrJ4Fz2aSAXEnvaA3EWYLqOicTkZgjAMTchhCd0e0VxWF9CG6uRY2+H6NvSqLeugQ7Mut8OGQItItcPH+FkVySPqM1voNepPh9RQ1vuq36T+q7iPsGOi6TlNeq9hZDilOHcGd6K+9LnlWezkyyB6Xrb7T/e9JqPQ6WfxtXBpkBXvUQijLkebU/kWbhwuEoDKkh6/ypDOHTOZY8U2HgEonlI89OZY/Xjb83AwaKUklMmL1kZOPQw1KOOlx+m15w41JnMxDFhhh7HDg41L7Zc6+aw4Ob/7KKeEM9vh66QUPR9CQa5Z0W3faUZG+4di9jmLZpt6sr+szyfUa6vMSnHK/vGhp7HT9Znn1mch2NcPje3+1eUEpufQmhD5n7uChg0FWV8o0JpjTD2COyA9frUhnTdmssbKMeMRgBMpacpd0RyLgbCIFN6xCJ1Pm2BJc1945DLOuqgn2JCrlaYm3Y5tMJZCOFMwX4p+TnqU7trZkMYAz1wIDrl/FkzmHoRAeO/qUpImjWUdbZpLoZQx5Q/APbB3zFjGylnlEbhnilfo/KM3p8BNRZOFnCoekJ654un1da8tf/DsodLbG/mdZ+Hd1ohP53OiOldmaydVXwQbBJSRbljLsm31OZeUhd184U1pLfKHL6cN1JxnkY+aqn/tU812/xqz740OPas9CNZ7F8/Zk4t+LKwCGjbCWRMA7pK8MZM1VmjPeASgQIpX6NKTboXTS3KKSVi007xd0+LHr3Zpc36H16D05jahnHjEdNQI4tOJ8NblqbWdZH3ykOvX4Rqyme4FfZryOrU6725ci5dqUOvTq1q7j/5MjvvSaET9lIhBnFyDy9ksF5HzLNIk6n+juvAawqy2+xeYfX9/plc3rsN67/zQB46qy6FZZ1rsbn0AbgUeP3ljJnOs5IxHAAoGwVmKYOnRw1udAvy5FwA3CYKzgCpQ7hr6nSA3w/F0tzoHAAAAzg0UegHwbnvbzDgAAABwDqDQAQAAgArw8PHxcfIaOgAAAAAuCzbFAQDuHsgwUAUw5Q4AAABUACh0AAAAoAJAoQMAAAAV4HYVOr/6FW9cAgBcEA6XGr0x8lLkyMKz9q9kmXzRZ30j+qZghc4hSo1XHBrHRb6IU74ELpu6h+jV8UV9uTfyIwHgrsgY+7Y45rVHl9Yb9U7nU+VNCbIg0T/m0jLnhPZ37qUMLv18TqRghV6j/kpFFAri2Nt8zvG3bw4zSpJ6H7NU6rU+rfCaVwCqy06EtFV2DAMjfPJVygWzf7fOOe7lxmX7eafc2fpJW7zSIvLIU569t4y9fKk8U9ejdAOeitHXYkta1NPl2MNhMAU5Q5DV/qHwF81K/U1Yb9qKU/+PPK5PhUq0trEkL0pX95nbP6O+RBvh84mfAdd75L0AAL6HHKPmeNPhk8VHNVaTckGP9zB3tnxIyQLPE+UzZJ6un4swifMN/YjyW/p3qEyU9V5WJifKR/eYftb2Z2SXyWaa+ixhOSrOVfmwu0Y5jmMv8wkS9ZnPLNlu9j2UyxkVOof43NBr5PF2aNZVN7n2qT4VaYseTVpdIv2Zlad5ncvJPOYXwbp2FVvSC5cGMlZhGF1NzxKs+oG9/UORoUmToVM56tmmzXVyjGPbPfKAaBEtVLo4xs2s/g3IVXkCjgKnR0miDVHuVTyDcITyi+Rp0ntFBDQAikQpnUMEslNvkJ+OKRyNWXFEsswmH1Ky4KW+V+btYOQXfgcNDNkW9+8ImXhJmSyUY5cjTar0hRvL3MSztvVhRyZnyFWOnBcZOgIpR81Q1clycez7PD1mtJtzD2VyPoXO8copDN0pBwhbPFo56hjDTl182cZnvsYYMYjltIuo6dN8OqbF1JqQ+MajH3NEXvunIH6cL/pXYGtj+04zMvJlIeO5x3k4FnxDTy+ZbTDG1JMMDNPOqxgAcDRK6UihzYeehuWZutT0O49Vmr0nZY45ZrUsO0YG7ZN5aYz8UnYY9Wb2j7lWmcyOk0wPFXRzzIo5JHEvtj6kZbJFrjbbwghQGn0592loCtlUuYjcZ2bkz7mHMjnvlLu44cQgkRbUifAPh2OhB6rOyJLK4NT25ZdcJ0edZlLGPe6gp56WNJ/0CPocgAtSeybhp9G7qdBsnEU+pND929GogquUyU0ay89tmkvFaXj/xzzrfTRfaOizchdy1DeMg30c9Mxy7qFEzqfQ5XT1gOTMyynw1AhbZqZWNSy17fssXutgtPV0cvtqCiYvTKqtDfkjtLRt6Z+8j8QUUJLmC2/Sa5E/fLHmAQAUjPQ8zTVqpkaP7po2n+rUxj4ZpGVBGlPmGXl2ZJ1iV3ao/umChclERdEyWTxjTz5gVooBDRvC846et+VZZ/WByZWrNXru+DT35uR3npNyXZaLjaDoHg59Zrn3UB5n9NDFjfGmspaaquDj0I0C4gFG61m8FG3uQuS1EDe+3t24sTWo1kl4euRp5BzfvtnuwxvVhcWZHybVdo/h2pGZLpfHc/rn8PpLXmNsJDQa1DnYrAQAHExi7PORVuJJ5PTtbKbObOTIQFMW/NhkyzyRZ8prwCo9IeuM/M6sQ0FKdkTTy6fKRE2ZMlkoTRo4Ks2hWWeaWOKInnVeHyKSzzwtV3kK3p8Qve5sQhLleO3fCcvF93CgHttzD2Vx/cFZ2CLmPRmZX9Yds/To4a1OAZ4LACdzugxbkvcwp3ZRU9aFy7xr798x8L20hEc+hPxLcd419KuEfxyGtRUd+Rb5pZGb4fKm/wEAZ4T3tZxnWvV7XHv/joHvRX0ECRA+FQBw90CGgSoADx0AAACoAA8fHx8ne+gAAAAAuCyYcgcA3D2QYaAKYModAAAAqABQ6AAAAEAFgEIHAAAAKgAUOgAAAFABilfo/Bah9KvwstJM9l0/lrw+8P+2F8gU3Q8AwI0Rx/5OHzJ+NwBXzHV46LU+rc75Cj8zWg7Hs3XOEwkHAHDt1Ki/0rIhjt3N56tzvIwbgBM4r0JXHvDIi61eGaQk4RmnXsWqvWrTczbP+XOU/xuva+XoOeojAABYScgv4QSUKZcA+Abn99DXA9q0lQW86NHkzRgQ4tPoicPmGBayupKNUP7Ohl6VBS297a5Z3wHIsHt7YpwDAAATya+8ICcFyCUAvsH5FXpjSC96JDj1lMIOaLPuUfvQcEDbT/IpDMUnLWFnQGtbTGETM+weIpYBAA7FlF82viuXADiR61hDPwVzPVweB4QH1GV4BgADDQBQNN+RSwCcSPEKndek1zN6N+aXtu8zWruPB3jBDtUbE+I4/DsYilfWxx9kWwP6kc5/aB94M96ChCWNTXEAgG9wjFwCoGRK8NCbNJY7x9V0kzicWYeC8SH2aY360yH5LWOqSib3aTr0oyms7sZVU/XclpGfD7kp5Yg+NMcUyLqfaMQj05yOh6IHANg4Wi4BUC7XHZyFd4p2iaZY4wYAlAiCs4AqcPtr6AAAAAC4coV+7hfOAAAAADcKPHQAAACgAjx8fHycvIYOAAAAgMty3ZviAADgDECGgSqAKXcAAACgAkChAwAAABUACh0AAACoAPeh0NNhDgEAAICKUbxCz1KepyjUpRe/PpEPGUC9AKDkAQA7cAhnQ94YxxOCmoMr56o99O3oiR5kePQ4atGC5sW8Xx0vrQEA7FCj/krJG47GaERNW/UhLcB1c3aFLpW0tnq1h8zecmQJP1FoCG/pfUY0DJJhB5tjdZ4oYwRRsaVrpMcv2lgaHnpm+5yc0VcAwH2iZvVGnpIt6jySC+a5RaYAUCbnVejiR94duJHHvXA59OCSPGdDryrti6OkdcWg2L7TbO3SY6ZRzGUG5C7CMjJampyKt6UreJBJj39FfUelWdvP6isA4K5ZD2jTZpmQF9/cIlPUVQDK4rwKneME0ySKPy697e0n+TJNWbMcMlXHGG7UKdK7JlymMaQXNaJqzx1qTObCYrak8wmHRZWDLDUQbe1n9TUsAQC4Vwz5YiVPpgFQImeecm/SWFqtbZrLH7uaEjfWqcJDKE9WqOsZvRdl1oo2FmmPXZPVvq2vAACwj0yZAkC5FK/QMxTx9n1Ga/eRatsReXIxiZVlQMOGT5/E+Qf0Y0dbNullSDRwkop06Ylz2UZcRtbfaysjICM9PCWnv6IFtZK7VVNlIrL6WpRxAQCoBobnLeUNf7DJFABKpgQPXShAXjNy1HSTOJxZh4KxUKvihy40tEp3aNaZUr/G+Yfkt+L8egNaTShguQ6u08XRIlbQyTIOr3Vz/db0mOZ4Qa7ow9OPjU7Jbj+zr6oIAADU+jQ15FN341JDXrDLNADKBMFZAAB3D2QYqAJnXkMHAAAAQBlAoQMAAAAVAAodAAAAqAAPHx8fJ6+hAwAAAOCyFLIpDgAAAACXBVPuAAAAQAWAQgcAAAAqABQ6AAAAUAGg0AEAAIAKAIUOAAAAVAAodAAAAKACQKEDAAAANw/R/wdmVMJtbB8BkgAAAABJRU5ErkJggg==[/img]

procedure TController.IWServerControllerBaseParseParameter(var AParam: string;
  var AllowIt: Boolean; const Index: Integer);
  var
    n : integer;
begin

//We are going to stop all parameters unless we need to check for a certain param
  //https://www.atozed.com/forums/thread-1681.html
  if CCAppParams.ApplicationParams.URLStartParams.URLStartParamAllowList <> '' then
  begin
      Paramcriticalsection.Acquire;
      try
      for n := 0 to ParamStringList.count-1 do
      begin
          if (Copy(uppercase(AParam),1,POS('=',uppercase(AParam))-1) = uppercase(ParamStringList[n])) then
          begin
            AllowIt := True;
            exit;
          end else
          begin
            AllowIt := False;
          end;
      end;
      finally
        Paramcriticalsection.release;
      end;
  end else
  begin
    AllowIt := False;
    exit;
  end;

//  if ContainsText(AParam, '<svg') then
//    AllowIt := False;
//
////This fixes an issue with a cross scripting possibility in versions at or prior to 5.2.18 and only with firefox
////https://www.atozed.com/forums/thread-2034.html
//  if ContainsText(AParam, 'onbeforescriptexecute') then
//    AllowIt := False;

  if ((ContainsText(AParam, 'onbeforescriptexecute')) or
      (ContainsText(AParam, 'onafterscriptexecute'))) then
    AllowIt := False;


end;

Sorry my picture did not post correctly.

Here are some of the settings on the servercontroller in iw15.
CheckFormID
CheckSameUA
CookieHttpOnly
CookieSecure
SessionCookies
ShowSecurityErrorDetails
UniqueURL
UseCookies
Reply
#6
Hi Jolecc, upgrade to IW15 is a problem because the application is very big, and some ather components are not compatible with IW15 (we use CGDevTools and other components and we should convert everything updating all with compatible components with IW15).
Do you think that your solution works with IW14 too?
Reply
#7
(03-30-2022, 07:32 AM)MarcoRu Wrote: Hi,
1) a third party company that is reviewing a websites we developed reported some security issues that they are requiring us to address. One of this security issue is the problem described:
if the IW application can be reached on "http://127.0.0.1:88/$/", if we put the URL "http://127.0.0.1:88/" followed by the string "StartCheck?<svg/onload=alert(1)>" (http://127.0.0.1:88/$/StartCheck?<svg/onload=alert(1)>) a pop-up appear. This means that an user can put HTML/javascript code in the URL and execute this code. They have identified this problem as Reflected Cross-site Scripting (XSS).

2) I'm saying that in our IW application an alert can be run, I don't know if can be run in other IW application.

Without seeing your application it sounds like the hole is likely in your code, not IW and that patching it where you are patching it is not really addressing the situation because its in a parameter.

Can you try the same thing with a simple demo like GuessSA? If Guess doesnt do it, then its likely your code passing that parameter somewhere unchecked, and that would be the better place to fix it - at the source of the issue rather than elsewhere.
Reply
#8
Your IntraWeb version is 4 years old. Four years in web development is a long time and a lot has changed.

IntraWeb 15 has several new features to deal with that and CG Dev Tools is also compatible with IW 15,, so I strongly recommend you consider updating.

In W14 you can still use OnParseParameter event

Have a look here:

https://www.atozed.com/2014/01/20140331c-en/
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)