I am jumping through hoops with our IT folks about the security of webwork.
After 8 years of not having problems managing and using webwork under constant security scanning, they took webwork under their own management (after I installed it for them).Everything looked fine, I even disabled the "Remember Me" button.
But now they switched to a new scanning software after the other hung,
and they say that webwork has "Cross-Site Scripting vulnerability".
Anybody knows about this? IT would like me to comment on it.
What should I say (other than obscenities)?
They used IBM Rational AppScan 8.5.0.1, and the output looks like
================
Vulnerable URL: https://webwork..../webwork2/math1342/
Total of 1 security issues in this URL
[1 of 1] Cross-Site Scripting
CWE ID:
80 (child of 79)
Severity:
Test Type: Vulnerable URL: CVE ID(s):
CWE ID(s):
Remediation Tasks:
Variant 1 of 4 [ID=7212]
High
Application
https://webwork...../webwork2/math1342/
N/A
79 (parent of 80,82)
Filter out hazardous characters from user input
The following changes were applied to the original request:
• Removed parameter 'user'
• Removed parameter 'passwd'
• Added parameter '--></script><script>alert(15465)</script>'
8/28/2012 12:36:06 PM 8/16
• Removed HTTP header 'Content-Type' • Set method to 'ET'
Validation In Response:
• ion/x-www-form-urlencoded" id="login_form">
<input type="hidden" name="" value="" ></script><script>alert(15465)</script> ="" /><br /><br /><label for="uname" id="uname_label">Username: </label><input name="user"
Reasoning:
The test result seems to indicate a vulnerability because Appscan successfully embedded a script in the response, which will be executed when the page loads in the user's browser.
==============================