WeBWorK Main Forum

Cross-Site Scripting vulnerability

Cross-Site Scripting vulnerability

by Andras Balogh -
Number of replies: 2
I am jumping through hoops with our IT folks about the security of webwork.
After 8 years of not having problems managing and using webwork under constant security scanning, they took webwork under their own management (after I installed it for them).
Everything looked fine, I even disabled the "Remember Me" button.
But now they switched to a new scanning software after the other hung,
and they say that webwork has "Cross-Site Scripting vulnerability".

Anybody knows about this? IT would like me to comment on it.
What should I say (other than obscenities)?
 
They used IBM Rational AppScan 8.5.0.1, and the output looks like
================
Vulnerable URL: https://webwork..../webwork2/math1342/
Total of 1 security issues in this URL
[1 of 1] Cross-Site Scripting
CWE ID:
80 (child of 79)
Severity:
Test Type: Vulnerable URL: CVE ID(s):
CWE ID(s):
Remediation Tasks:
Variant 1 of 4 [ID=7212]
High
Application
https://webwork...../webwork2/math1342/
N/A
79 (parent of 80,82)
Filter out hazardous characters from user input
The following changes were applied to the original request:
• Removed parameter 'user'
• Removed parameter 'passwd'
• Added parameter '--></script><script>alert(15465)</script>'
8/28/2012 12:36:06 PM 8/16
• Removed HTTP header 'Content-Type' • Set method to 'ET'
Validation In Response:
• ion/x-www-form-urlencoded" id="login_form">
<input type="hidden" name="" value="" ></script><script>alert(15465)</script> ="" /><br /><br /><label for="uname" id="uname_label">Username: </label><input name="user"
Reasoning:
The test result seems to indicate a vulnerability because Appscan successfully embedded a script in the response, which will be executed when the page loads in the user's browser.
==============================







In reply to Andras Balogh

Re: Cross-Site Scripting vulnerability

by Jason Aubrey -
Hi Andras,

My IT department did a scan with that exact software I believe a few years ago. At that time, they also uncovered css vulnerabilities which Mike promptly fixed, and my IT people signed off on webwork. (I can provide you with the report.) If you haven't updated in a while, it's possible an update will get those fixes, but it is very possible there are other or new css vulnerabilities.  

My approach was to work closely with them to identify the blockers and they were very happy with how quickly the problems were addressed (thanks to Mike).  My advice would be to ask for as much detail as they are willing to share with you about the vulnerabilities, and then we can start fixing them.  If you can meet us on IRC that would make it easier to discuss specifics.

Jason