Select the search type
  • Site
  • Web
Search
You are here:  Support/Forums
Support

Bring2mind Forums

XSS Vulnerability
Last Post 03/05/2019 1:54 PM by Peter Donker. 1 Replies.
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages
Mark Darty
New Member
New Member
Posts:3


--
05/17/2017 2:47 PM
Hello,

The security audit returned by our scanning software (Acunetix) recently reported this error related to DMX version 6.1.15:

URL encoded POST input Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param was set to Phrase'"()&%<ScRiPt >ODol(9792) <br /> </ScRiPt> <br /> <br /> Details (sensitive information replaced with "withheld"): <br /> <br /> POST /Default.aspx?TabID=151 HTTP/1.1 <br /> Content-Length: 1640 <br /> Content-Type: application/x-www-form-urlencoded <br /> Referer: https://withheld/ <br /> Cookie: <br /> .ASPXANONYMOUS=withheld language=en-US; __RequestVerificationToken=withheld <br /> ASP.NET_SessionId=withheld USERNAME_CHANGED= <br /> Host: withheld <br /> Connection: Keep-alive <br /> Accept-Encoding: gzip,deflate <br /> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0; Acunetix) like Gecko <br /> Acunetix-Product: WVS/11.0 (Acunetix - WVSE) <br /> Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED <br /> Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm <br /> Accept: */* <br /> Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=Phrase'"()%26%25<acx><ScRiPt%20>ODol(9792) <br /> </ScRiPt>&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=e&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_Comm <br /> andCallBack_Callback_Param=Att_SyncFolder&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=e&Cart_dnn_c <br /> tr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=true&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callb <br /> ack_Param=all&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=-2&Cart_dnn_ctr574_Dispatch_ajaxtwopanel <br /> _CommandCallBack_Callback_Param=false&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=true&Cart_dnn_ct <br /> r574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=AND&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callbac <br /> k_Param=Phrase&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=e&Cart_dnn_ctr574_Dispatch_ajaxtwopanel <br /> _CommandCallBack_Callback_Param=true&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=Phrase&Cart_dnn_c <br /> tr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=RegularSearch&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallB <br /> ack_Callback_Param=Att_SyncFolder&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=true&Cart_dnn_ctr574 <br /> _Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=Att_SyncFolder&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_ <br /> Callback_Param=e&Cart_dnn_ctr574_Dispatch_ajaxtwopanel_CommandCallBack_Callback_Param=Att_SyncFolder&Cart_dnn_ctr574_Dispat <br /> ch_ajaxtwopanel_CommandCallBack_Callback_Param=Phrase <br /> <br /> <br /> <br /> When we tested this finding in a test POST, this is what was returned: <br /> <br /> <CallbackContent><![CDATA[<script type="text/javascript">cbresult = {"result": {"isinerror": "false", "showpopup": "false", "message": "", "content": "", "command": "Phrase'"()&%<acx><ScRiPt >ODol(9792)</ScRiPt>", "argslist": "e"}};</script>]]></CallbackContent> <br /> <br /> Content like this should be escaped. <br /> <br /> If this has been fixed in version .16 or .17, please disregard, as we are upgrading to .17 <br /> <br /> DNN Version: 9.1.0 <br /> <br /> Thanks
Peter Donker
Veteran Member
Veteran Member
Posts:4530


--
03/05/2019 1:54 PM
This should have been addressed since that version.
You are not authorized to post a reply.