![]() There are several other places inside of West Wind Web Connection where similar routing errors echo back content but those locations are internal and have been fixed. This basically sanitizes the parameter and ensures it is turned into an HTML string rather than embedded as raw HTML text that can contain script. "The server is not setup to handle this type of Request: " + EncodeHtml ( lcParameter )) In it towards the bottom find the OTHERWISE clause and make sure the call the StandardPage() includes EncodeHtml() for encoding the lcParameter: OTHERWISE Find the Process() method in the MyAppMain.prg and the Process method. MyAppMain.prg) you may still have this vulnerability in place! It’s an easy fix, but you still have to fix it. However even if you are running the latest version but you have a main application class (ie. type of Request: WWDEMOIn the actual HTML the text is HtmlEncoded and looks like this. This properly encodes the offending input and simply echo’s it back. If not sanitized it’s possible to embed script into the URL and that script can execute in the browser.Īs mentioned this has been fixed in current versions, so if you create a new project all’s well. The issue here is that West Wind Web Connection echo’s back the query string value it finds and in earlier versions this value was not properly sanitized. The issue is that on a failure request that tries to access a page Web Connection by default returns an error page that looks something like these: If you’re running version 5.x you can upgrade to the latest version, older versions can manually do a quick fix for this particular issue. I don’t remember the actual version number but the fix has been in recent versions of Web Connection. This cross site scripting issue has been fixed some time ago. Let’s start by addressing the Security Bulletin issues first. The issues in the bulletin have since been addressed in recent versions, but I thought I take the time to reiterate the importance of making sure that your Web Connection applications are secure. A number of people have run into issues with PCI compliance due to a security bulletin that was put out on Web Connection some time ago.
0 Comments
Leave a Reply. |