Hi again Jian - The boss said to let it slide; he'd rather fix it with a patch update. So I'll keep my eyes on this board for whenever an update comes through that corrects the XSS issue (hopefully soon tho!)
Thanks again! Kelly Kelly Burns Associate Director Web Applications / IT Dept. Alzheimer's Association T: (312) 335-5209 F: (888) 869-1439 E: [email protected] On Mon, Sep 17, 2012 at 12:55 PM, Jian Huang <[email protected]>wrote: > Hi Kelly, > > Most part of Management would first validate the current user session > before allowing additional functions. However, there might be areas that > do not verify that. > > There is something a system administrator can do in IIS by only granting > access to certain page should the request comes from localhost (127.0.0.1), > which is initiated from an asp page that verifies login session. > > http://support.microsoft.com/kb/324066 > > For example: > > addfile.asp calls uploadfile.asp > > uploadfile.asp is vulnerable to XSS should the correct parameter be > provided. > > Locked down uploadfile.asp via IIS by only grant it access should request > comes from 127.0.0.1. > > Since addfile.asp validates user session, then user would have to be able > to login in order to use the functionality. > > Besides, it takes 7 to 8 specifically named parameters to correctly invoke > any .asp pages in CMS. > > -Jian > > > On Monday, September 17, 2012 12:05:03 PM UTC-4, Kelly Burns wrote: >> >> Hi Richard -I'm replying back via email to explain. Thanks, Kelly >> >> >> On Monday, September 17, 2012 9:34:30 AM UTC-5, Kelly Burns wrote: >>> >>> Hi guys - I am sure somebody has run into this before; but I am at a >>> complete "dead end" here and need to resolve before our upcoming IT Audit. >>> :( >>> >>> Our IT Audit firm found our Web Site Management Server 10.1 SP2 (with >>> SQL 2008 db) poses a "significant security risk", in that it allows cross >>> site scripting (aka "XSS") to occur in the classic ASP portions of the app. >>> Obviously I need to correct this before our *next* audit (next month). >>> >>> Last September, when the audit found this info, I submitted this as a >>> ticket for resolution to OpenText Support. They said they would forward the >>> issue to development for analysis (this was a year ago). I realized I'd >>> not heard back from them on this issue & checked back on it this week. The >>> response was: >>> >>> *"This ticket was linked to a BUG ID: WSGMS-8216 currently there is no >>> resolution or much analysis on the issue, but it is now tracked by OpenText >>> and you can always use the aforementioned ID to track its status."* >>> >>> I searched all over OpenText KB for the bug, but it is not even listed >>> anyplace that I could find. I was hoping that surely *somebody *has had >>> the same issue and posted a workaround *somewhere *by now. :-( Well if >>> it exists, I still haven't found it! >>> >>> Has anyone else dealt with this?? If what if anything did you do to >>> secure RedDot properly? >>> >>> Thanks in Advance! >>> Kelly >>> >>> >>> -- > You received this message because you are subscribed to the Google Groups > "RedDot CMS Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/reddot-cms-users/-/yQ34iuPHUtoJ. > > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/reddot-cms-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/reddot-cms-users?hl=en.
