bburnettIowa
Posts: 2
|
| Posted: 07/28/2010, 1:59 PM |
|
yakli pointed out this Cross Site Scripting weakness in CCS on 04/29/2009, 5:27 PM and got no responses. I ran into this same weakness with one of my pages. This warrants some careful review.
--------------------------------------------------------------------------------
I don't know is this a bug or not.
But I have to say that, websites developed with CCS have to be tested for this kind of vulnerabilities. Especially, if you are giving an online services for your customers your website have to be secured by you.
For example; your customers can have an e-mail which contains a link like that and all of your cookie and session infos could be seen by an unwanted and unauthorized persons who can run off-site javascipts.
http://forums.yessoftware.com/index.php?"><s...)</script>;
|
 |
 |
bburnettIowa
Posts: 2
|
| Posted: 07/28/2010, 2:08 PM |
|
My fix for a form that fortunately only has one integer parameter (idProject). This code kills requests that have anything more than that one parameter.
on error resume next
dim intjustid
intJustID = cint(replace(Request.ServerVariables("QUERY_STRING"),"idProject=",""))
if err.number <> 0 then
response.write "ERROR: Invalid Query Parameters"
response.end
end if
|
|
|
|
|
