Cross site scripting alert in Tag.aspx

Last post 10-31-2013, 1:07 PM by Kenneth. 1 replies.
Sort Posts: Previous Next
  •  10-31-2013, 7:02 AM 78237

    Cross site scripting alert in Tag.aspx

     

    We have integrated the cute editor for .net with our application.

    Recently we have ran a security scan by using Acunetix tool and found the following alert in the report. The tool shows the cross site scripting affected in ../cuteeditor/dialogs/tag.aspx file.

     

    Could you please provide how to avoid this security issue. 

     

    The report from the tool

    Affected items:

    /cutesoft_client/cuteeditor/dialogs/tag.aspx  

    Details:

    URL encoded GET input Theme was set to Office2003_BlueTheme' onmouseover=prompt(919401) bad='  The input is reflected inside a tag parameter between single quotes.  

    Request headers:

    (line truncated)  ...S5DdXRlRWRpdG9yUHJvdmlkZXJzLkN1c3RvbWVyRGF0YUZpbGVTdG9yYWdlLCBDdXRlRWRpdG9yUHJvdmlkZX  JzLCBWZXJzaW9uPTkuMi4wLjEyNDA4LCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPW51bGwvRTpcS0  JEYXRhXGtub3dsZWRnZWJhc2VccHVibGljZmlsZXNcMTJcV2ViZmlsZXMPL3BmLzEyL1dlYkZpbGVzDy9wZi8xMi  9XZWJGaWxlcw8vcGYvMTIvV2ViRmlsZXMPL3BmLzEyL1dlYkZpbGVzDy9wZi8xMi9XZWJGaWxlcw8vcGYvMTIvV2  ViRmlsZXMr2EE!1aMzy4MQMr8PMdrNbxAuMGfEHw4r1icMVlJO9hg!2!2&Tab=Style&Tag=A&Theme=Office20  03_BlueTheme'%20onmouseover%3dprompt(919401)%20bad%3d' HTTP/1.1  Connection: Keep-alive  Accept-Encoding: gzip,deflate  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)  Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)  Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED

    Accept: */*

       
  •  10-31-2013, 1:07 PM 78251 in reply to 78237

    Re: Cross site scripting alert in Tag.aspx

    Hi Moxiesoft,

     

    Can you download the latest build and test the demo package as a separate site about this issue?  the corss link issue should be an old bug, we have fixed them in the new build. If the latest build works for you, then please use it for your own site too.

     

    Latest build download url: http://cutesoft.net/downloads/folders/21904/download.aspx 

     

    Regards,

     

    Ken 

View as RSS news feed in XML