Cross-Site Request Forgery vulnerability in load.ashx?

Last post 08-14-2015, 1:17 PM by Adam. 6 replies.
Sort Posts: Previous Next
  •  08-05-2015, 10:41 PM 80565

    Cross-Site Request Forgery vulnerability in load.ashx?

    We've recently had our website scanned for security vulnerabilities by an external vendor - though they came back with all kinds of things, one of them was a Cross-Site Request Forgery that they tied back to CuteSoft_Client/CuteEditor/Load.ashx. Effectively, they were saying that this page could be leveraged to call and execute arbitrary code from a remote site, as it generated teh same response for them whether they called it legitimately, or whether they called it via a ficticious manually-formed request that included a different referrer in the header. Essentially, their claim is that it doesn't validate the caller or referrer before it loads the requested code.

     

    I did some (albiet brief) testing, and it seems like this page will only load code from a certain folder under the application, but is there a concern with the potential risk here? Or is this a false positive they're returning? This isn't an area where I'm super-knowledgable, but it doesn't seem like the referrer would impact what should be executed. If anything, it seems like I could put malicious code on my side and force other sites to execute it remotely (by calling my code from their site via the CSRF), but it wouldn't pose additional threats to users of my site.

     

    I appreciate the group's confirmation (or negation) of this potential threat, as I'd like to respond to the line item appropriately.

     

    Thanks! 

    Filed under: ,
  •  08-10-2015, 10:22 AM 80585 in reply to 80565

    Re: Cross-Site Request Forgery vulnerability in load.ashx?

    Hi rwmnau,

     

    This issue has reported to the development team, they investigating on it.

     

    regards,

     

    Ken 

  •  08-10-2015, 9:29 PM 80604 in reply to 80565

    Re: Cross-Site Request Forgery vulnerability in load.ashx?

    rwmnau:

    We've recently had our website scanned for security vulnerabilities by an external vendor - though they came back with all kinds of things, one of them was a Cross-Site Request Forgery that they tied back to CuteSoft_Client/CuteEditor/Load.ashx. Effectively, they were saying that this page could be leveraged to call and execute arbitrary code from a remote site, as it generated teh same response for them whether they called it legitimately, or whether they called it via a ficticious manually-formed request that included a different referrer in the header. Essentially, their claim is that it doesn't validate the caller or referrer before it loads the requested code.

     

    I did some (albiet brief) testing, and it seems like this page will only load code from a certain folder under the application, but is there a concern with the potential risk here? Or is this a false positive they're returning? This isn't an area where I'm super-knowledgable, but it doesn't seem like the referrer would impact what should be executed. If anything, it seems like I could put malicious code on my side and force other sites to execute it remotely (by calling my code from their site via the CSRF), but it wouldn't pose additional threats to users of my site.

     

    I appreciate the group's confirmation (or negation) of this potential threat, as I'd like to respond to the line item appropriately.

     

    Thanks! 

     

    We have investigated this issue and uploaded a new build.  Please download it and try again.

     

    Keep me posted. 


    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

  •  08-11-2015, 9:46 AM 80607 in reply to 80604

    Re: Cross-Site Request Forgery vulnerability in load.ashx?

    Wow - I really appreciate the quick attention and turn-around!

     

    I'll grab this new build and see if it resolves our issue - Thanks! 

  •  08-14-2015, 9:50 AM 80614 in reply to 80607

    Re: Cross-Site Request Forgery vulnerability in load.ashx?

    Is this buld something we have access to, or is it still being tested? The last version of CuteEditor I can see on the website was posted on 2014-04-16, and the last update of anything (a chat client for Sharepoint) was in June. I'd love to test this build and see if it resolves our issue - thanks for your quick response on correcting it!
  •  08-14-2015, 1:17 PM 80615 in reply to 80614

    Re: Cross-Site Request Forgery vulnerability in load.ashx?

    Yes. Please download it from

     

    http://cutesoft.net/downloads/folders/cute_editor_current_releases/entry21904.aspx  


    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

  •  08-14-2015, 1:17 PM 80616 in reply to 80614

    Re: Cross-Site Request Forgery vulnerability in load.ashx?

    Yes. Please download it from

     

    http://cutesoft.net/downloads/folders/cute_editor_current_releases/entry21904.aspx  


    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

View as RSS news feed in XML