Cross-site Scripting (XSS) vulnerability in AjaxUploader

Last post 02-12-2009, 8:55 PM by cutechat. 9 replies.
Sort Posts: Previous Next
  •  02-09-2009, 12:22 PM 48513

    Cross-site Scripting (XSS) vulnerability in AjaxUploader

    our enterprise security scanner reported a cross-site scripting vulnerability for the AjaxUploader.  What it was able to do was modify the UploadOK() handler script to include a textarea and more scripting:
     
    <script type='text/javascript'>if(window.parent.CurrentUpload)window.parent.CurrentUpload.UploadOK('""'></SCRIPT></TITLE></TEXTAREA>'""></XSS/*-*/STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert(2431)})>','95c88ae3-3f1a-447e-af75-71f8c9c8cb46')</script>
     
    Could you tell me how I could address this vulnerability?  I have Microsoft's AntiXss library, which includes a JavaScriptEncode() method which can be called on the server side, but I don't know how to access the script in question.
     
    thanks,
     
    Pete
  •  02-09-2009, 2:05 PM 48524 in reply to 48513

    Re: Cross-site Scripting (XSS) vulnerability in AjaxUploader

    Hi,
     
    I don't think that is vulnerability while the URL is generated by uploader and the script code is generated from the same website.
     
    Regards,
    Terry
  •  02-09-2009, 6:30 PM 48544 in reply to 48524

    Re: Cross-site Scripting (XSS) vulnerability in AjaxUploader

     
    Unfortunately, our security folks regard it as a vulnerability and won't let me use the AJAXUploader unless the problem is addressed - is there a way for me to examine that script on the server side?  That would allow me to scan for objectionable characters and throw an exception, or at least strip them out.
     
    thanks,
     
    Pete
  •  02-09-2009, 10:55 PM 48556 in reply to 48544

    Re: Cross-site Scripting (XSS) vulnerability in AjaxUploader

    Pete,
     
    OK.
     
    We can verify the url and let the uploader can pass your XSS validation, on next upgrate, about two days later.
     
    Regards,
    Terry
  •  02-10-2009, 12:22 PM 48579 in reply to 48556

    Re: Cross-site Scripting (XSS) vulnerability in AjaxUploader

     
    thanks, Terry.  Will you send me an email to let me know, or do I need to check back here in 2 days?
     
    regards,
     
    Pete
  •  02-10-2009, 1:00 PM 48584 in reply to 48579

    Re: Cross-site Scripting (XSS) vulnerability in AjaxUploader

    Pete
     
    We we update the control , I will reply this thread.
     
    Regards,
    Terrh
  •  02-11-2009, 10:39 PM 48652 in reply to 48584

    Re: Cross-site Scripting (XSS) vulnerability in AjaxUploader

    Hi,
     
    Please download the control again.
     
    Regards,
    Terry
  •  02-12-2009, 9:07 AM 48666 in reply to 48652

    Re: Cross-site Scripting (XSS) vulnerability in AjaxUploader

    Terry,
     
    the only AjaxUploader download I found was updated 02-03-2009 - is that it?  Seems like that date is before I pointed out the problem.
     
    thanks,
     
    Pete
  •  02-12-2009, 9:12 AM 48667 in reply to 48584

    Re: Cross-site Scripting (XSS) vulnerability in AjaxUploader

     
    Terry,
     
    is there a way I can be notified via email when there's activity on this thread?  I tried toggling the "EnableSubscription" button, but I'm not getting any notifications.
     
    thanks,
     
    Pete
  •  02-12-2009, 8:55 PM 48728 in reply to 48667

    Re: Cross-site Scripting (XSS) vulnerability in AjaxUploader

    Pete,
     
    Please download it again.
     
    the assembly title should be 20090212
     
    --
    by the way I haven't used the email notify function of this forums yet. 
     
    Regards,
    Terry
View as RSS news feed in XML