Re: Cross-Site Request Forgery vulnerability in load.ashx?

  •  08-10-2015, 9:29 PM

    Re: Cross-Site Request Forgery vulnerability in load.ashx?

    rwmnau:

    We've recently had our website scanned for security vulnerabilities by an external vendor - though they came back with all kinds of things, one of them was a Cross-Site Request Forgery that they tied back to CuteSoft_Client/CuteEditor/Load.ashx. Effectively, they were saying that this page could be leveraged to call and execute arbitrary code from a remote site, as it generated teh same response for them whether they called it legitimately, or whether they called it via a ficticious manually-formed request that included a different referrer in the header. Essentially, their claim is that it doesn't validate the caller or referrer before it loads the requested code.

     

    I did some (albiet brief) testing, and it seems like this page will only load code from a certain folder under the application, but is there a concern with the potential risk here? Or is this a false positive they're returning? This isn't an area where I'm super-knowledgable, but it doesn't seem like the referrer would impact what should be executed. If anything, it seems like I could put malicious code on my side and force other sites to execute it remotely (by calling my code from their site via the CSRF), but it wouldn't pose additional threats to users of my site.

     

    I appreciate the group's confirmation (or negation) of this potential threat, as I'd like to respond to the line item appropriately.

     

    Thanks! 

     

    We have investigated this issue and uploaded a new build.  Please download it and try again.

     

    Keep me posted. 


    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

View Complete Thread