Jason Hect wrote:
A customer tested our website using WebInspect, and reported one
"high" security concern. I'm not really sure what this is about, and
was hoping maybe someone could shed some light on if it's really a
concern, or just a false positive as suggested. If it is a real
concern, how do I fix it! Not sure if it's related, but access to my
"logs" directory was another "low" concern which I have now blocked
access to. I noticed the log directory was listed in the URL below,
and maybe the two were related. I have some 3rd party software which
analysis my web logs nightly and generates html reports within the
logs directory. Maybe the error was within that html?
Thanks,
Jason
*Failure Finding 1: 302 Error Message Cross-site Scripting*
*Ranking*
High
*Category*
Cross-site Scripting
*Issue*
http://test.superiorbag.com:80/logs?><script>alert('XSS');</script>
The handling of certain HTTP requests that produce "302 Object Moved"
responses allows attackers to launch cross-site scripting attacks.
When the server receives an HTTP request for a directory without a
trailing slash, it returns a 302 Object Moved error message,
redirecting the client to the requested directory, with a forward
slash. Also included in the body of the HTTP response are any GET
parameters that were including in the original request. These
parameters are not properly sanitized for malicious content before
being returned to the client.
*Impact*
Cross-site scripting allows an attacker to control the web browser of
other web users viewing the page by embedding malicious HTML tags and
JavaScript. An attacker can use this technique to steal sensitive
information such as credit card numbers, usernames, passwords, files,
and sessionidentifiers from the web users.
*Remediation*
A patch has been released that corrects this issue. See Microsoft
Security Advisory MS02-018.
*Evidence*
I was unable to reproduce this manually.
Jason,
If you were unable to reproduce it manually, let the customer know.
Ideally, you should be validating ALL get and post requests. If you
encounter get values that contain <script>, <embed>, <object>, <form> or
any other potentially malicious tags in a context where they shouldn't
exist, don't further process the request and have your server return an
appropriate HTTP status code such as 400 or 403.
This is another reason why I like to put my 4D web systems behind
another web server that can proxy requests. By setting up rewrite rules
that serve as a white list, you can prevent a lot of these exploits from
ever hitting 4D/Active4D.
best,
Brad
_______________________________________________
Active4D-dev mailing list
[email protected]
http://mailman.aparajitaworld.com/mailman/listinfo/active4d-dev
Archives: http://mailman.aparajitaworld.com/archive/active4d-dev/
