UltimateEditorMVC
Topic: Re: Veracode Security issues with UltimateEditor
Karamasoft Support Forums

Page 1 of 1 (2 items)


Posted by scott.korin on 02-05-2016 1:48 PM
Veracode is a platform for scanning web applications for security flags as defined by the Common Weakness Enumeration project. My parent company has informed us that we must scan our software using Veracode. Our applications use the MVC versions of UltimateEditor and UltimateSpell, and Veracode found several "medium" flaw.

CWE 80: Improper Neutralization of Script-Related HTML Tags in a Web Pagte (Basic XSS):

ultimateeditor.explorer.aspx had this flaw 29 times, all on line 18.

Line 18 shows a bunch of attributes being set in the Body_OnLoad function. None of these values are being encoded to make sure the don't include invalid HTML. I have no idea how these values are being set, so I don't know what to tell my security auditor about these 29 flaws:

<body onload="Body_OnLoad('<%=ultimateEditorID%>','<%=IncludePath%>','<%=FileSourceID%>','<%=FileSizeID%>','<%=AttachmentFileTypesID%>','<%=FlashFileTypesID%>','<%=ImageFileTypesID%>','<%=LinkFileTypesID%>','<%=TemplateFileTypesID%>','<%=WindowsMediaFileTypesID%>','<%=CreateFolderSubDirsID%>','<%=DeleteSubDirsID%>','<%=FileOverwriteSubDirsID%>','<%=UploadSubDirsID%>','<%=ViewSubDirsID%>','<%=ServerExplorerInitialSubDirID%>','<%=hfNewFolderName.ClientID%>','<%=hfDeletePath.ClientID%>','<%=imgPreview.ClientID%>','frmPreview','<%=ibCreateFolder.ClientID%>','<%=fileToUpload.ClientID%>','<%=btnUpload.ClientID%>','<%=hfPageStatus.ClientID%>','<%=PAGE_STATUS_HIDDEN_IS_SET%>','<%=hfAttachmentFileTypes.ClientID%>','<%=hfFlashFileTypes.ClientID%>','<%=hfImageFileTypes.ClientID%>','<%=hfLinkFileTypes.ClientID%>','<%=hfTemplateFileTypes.ClientID%>','<%=hfWindowsMediaFileTypes.ClientID%>','<%=hfCreateFolderSubDirs.ClientID%>','<%=hfDeleteSubDirs.ClientID%>','<%=hfFileOverwriteSubDirs.ClientID%>','<%=hfUploadSubDirs.ClientID%>','<%=hfViewSubDirs.ClientID%>','<%=hfServerExplorerInitialSubDir.ClientID%>','<%=FileType%>','file','fileselect','btndisabled','<%=EnableViewFilesInDBID%>','<%=EnableUploadFilesInDBID%>','<%=EnableDeleteFilesInDBID%>','<%=EnableOverwriteFilesInDBID%>','<%=hfEnableViewFilesInDB.ClientID%>','<%=hfEnableUploadFilesInDB.ClientID%>','<%=hfEnableDeleteFilesInDB.ClientID%>','<%=hfEnableOverwriteFilesInDB.ClientID%>','<%=FileNameInDatabaseID%>','<%=file.ClientID%>','<%=EnableAmazonS3ID%>','<%=CreateFolderAmazonS3SubDirsID%>','<%=DeleteAmazonS3SubDirsID%>','<%=UploadAmazonS3SubDirsID%>','<%=ViewAmazonS3SubDirsID%>','<%=EnableAmazonS3CreateBucketID%>','<%=EnableAmazonS3DeleteBucketID%>','<%=hfEnableAmazonS3.ClientID%>','<%=hfCreateFolderAmazonS3SubDirs.ClientID%>','<%=hfDeleteAmazonS3SubDirs.ClientID%>','<%=hfUploadAmazonS3SubDirs.ClientID%>','<%=hfViewAmazonS3SubDirs.ClientID%>','<%=hfEnableAmazonS3CreateBucket.ClientID%>','<%=hfEnableAmazonS3DeleteBucket.ClientID%>',<%=IsAmazonS3Root().ToString().ToLower()%>,'<%=btnUploadAmazonS3.ClientID%>','<%=CurrentAmazonS3BaseHref%>','<%=CurrentAmazonS3BucketName%>')">


UltimateEditor.file.aspx has this flaw as well, in two places:
<body onload="Body_OnLoad('<%=Request.QueryString["ii"]%>','<%=Request.QueryString["ft"]%>','<%=Request.QueryString.ToString().Replace("'", "\\'")%>','<%=Request.QueryString["ei"]%>','<%=fileSource.ClientID%>','<%=txtAlt.ClientID%>','<%=ddlImageAlign.ClientID%>','<%=txtBorder.ClientID%>','<%=txtImageWidth.ClientID%>','<%=txtImageHeight.ClientID%>','<%=txtHSpace.ClientID%>','<%=txtVSpace.ClientID%>','<%=txtMediaWidth.ClientID%>','<%=txtMediaHeight.ClientID%>','<%=rbMediaLoopYes.ClientID%>','<%=ddlMediaAlign.ClientID%>','<%=ddlFlashQuality.ClientID%>','<%=txtFlashBackgroundColor.ClientID%>','<%=txtMediaID.ClientID%>','<%=hfFileSize.ClientID%>','divInsertImage','divInsertMedia','trFlashQuality','trFlashBackgroundColor','tblFile','<%=hfFileNameInDatabase.ClientID%>')">



<td style="padding-left:4px;font-family:Tahoma;font-size:11px;font-weight:bold;color:#FFFFFF"><%=Request.QueryString["wt"]%></td>

There are also flaws in the ultimateeditor.dll related to external controls of file names or paths, but , unfortuantely, I'm not able to provide any useful information on what those are. I suspect it's the functions that set the library file, etc, which seems like a dumb thing for Veracode to complain about.

At this point I don't know what to do about these because either ignore them (which I would prefer doing, but apparently I'm not allowed to), or replace ultimate editor with something else.

Can someone tell me if they've dealt with Veracode before while using UltimateEditor or UltimateSpell?

Posted by Karamasoft on 02-05-2016 3:50 PM
We are not familiar with Veracode but the Body_OnLoad method it is complaining about doesn't require any encoding since none of those parameters take value from a user input. As you can see they are enclosed in server script tags <%= ... %> and dynamically rendered based on your UltimateEditor configuration settings (generally ids) when the page is rendered.

For Request.QueryString values, you can try changing the Body_OnLoad code by wrapping each parameter inside a JS encode as follows:

<body onload='Body_OnLoad(encodeURI('<%=Request.QueryString['ii']%>'), ...