Hi Richard - We expose the CMS externally via a domain anyone can access - so that consultants and chapter users can access it. 9/10ths of the people using the CMS are not on our network. Most, however, are connected to Active Directory to login with their network name/pass. But they are logging in from an *externally* exposed interface (not from inside our network and not on our vpn). This is bc 9/10th of our user base are chapter offices in various places across the U.S. - all with their own network systems, their own ISP's, etc. I agree that in a perfect world the CMS would only be exposed to internal users within our own network and therefore less of a worry but that would not work for us, unfortunately. Any ideas on how I could lock down the XSS vulnerability?
Thanks in Advance, Kelly On Monday, September 17, 2012 9:34:30 AM UTC-5, Kelly Burns wrote: > > Hi guys - I am sure somebody has run into this before; but I am at a > complete "dead end" here and need to resolve before our upcoming IT Audit. > :( > > Our IT Audit firm found our Web Site Management Server 10.1 SP2 (with SQL > 2008 db) poses a "significant security risk", in that it allows cross site > scripting (aka "XSS") to occur in the classic ASP portions of the app. > Obviously I need to correct this before our *next* audit (next month). > > Last September, when the audit found this info, I submitted this as a > ticket for resolution to OpenText Support. They said they would forward the > issue to development for analysis (this was a year ago). I realized I'd > not heard back from them on this issue & checked back on it this week. The > response was: > > *"This ticket was linked to a BUG ID: WSGMS-8216 currently there is no > resolution or much analysis on the issue, but it is now tracked by OpenText > and you can always use the aforementioned ID to track its status."* > > I searched all over OpenText KB for the bug, but it is not even listed > anyplace that I could find. I was hoping that surely *somebody *has had > the same issue and posted a workaround *somewhere *by now. :-( Well if > it exists, I still haven't found it! > > Has anyone else dealt with this?? If what if anything did you do to > secure RedDot properly? > > Thanks in Advance! > Kelly > > > -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/reddot-cms-users/-/DoK3QgNQWTMJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/reddot-cms-users?hl=en.
