Home Search Member List Faq Register Login  
UltimateEditorMVC
Veracode Security issues with UltimateEditor

Thread Starter: scott.korin   Started: 02-05-2016 1:48 PM   Replies: 1
 Karamasoft Support Forums » General Discussions » UltimateEditorMVC » Veracode Security issues with UltimateEditor
 Printable Version    « Previous Thread
  05 Feb 2016, 1:48 PM
scott.korin is not online. Last active: 2/6/2016 12:07:32 AM scott.korin

Not Ranked
Joined on 03-15-2013
Posts 3
 Veracode Security issues with UltimateEditor
Veracode is a platform for scanning web applications for security flags as defined by the Common Weakness Enumeration project. My parent company has informed us that we must scan our software using Veracode. Our applications use the MVC versions of UltimateEditor and UltimateSpell, and Veracode found several "medium" flaw.

CWE 80: Improper Neutralization of Script-Related HTML Tags in a Web Pagte (Basic XSS):

ultimateeditor.explorer.aspx had this flaw 29 times, all on line 18.

Line 18 shows a bunch of attributes being set in the Body_OnLoad function. None of these values are being encoded to make sure the don't include invalid HTML. I have no idea how these values are being set, so I don't know what to tell my security auditor about these 29 flaws:

<body onload="Body_OnLoad('<%=ultimateEditorID%>','<%=IncludePath%>','<%=FileSourceID%>','<%=FileSizeID%>','<%=AttachmentFileTypesID%>','<%=FlashFileTypesID%>','<%=ImageFileTypesID%>','<%=LinkFileTypesID%>','<%=TemplateFileTypesID%>','<%=WindowsMediaFileTypesID%>','<%=CreateFolderSubDirsID%>','<%=DeleteSubDirsID%>','<%=FileOverwriteSubDirsID%>','<%=UploadSubDirsID%>','<%=ViewSubDirsID%>','<%=ServerExplorerInitialSubDirID%>','<%=hfNewFolderName.ClientID%>','<%=hfDeletePath.ClientID%>','<%=imgPreview.ClientID%>','frmPreview','<%=ibCreateFolder.ClientID%>','<%=fileToUpload.ClientID%>','<%=btnUpload.ClientID%>','<%=hfPageStatus.ClientID%>','<%=PAGE_STATUS_HIDDEN_IS_SET%>','<%=hfAttachmentFileTypes.ClientID%>','<%=hfFlashFileTypes.ClientID%>','<%=hfImageFileTypes.ClientID%>','<%=hfLinkFileTypes.ClientID%>','<%=hfTemplateFileTypes.ClientID%>','<%=hfWindowsMediaFileTypes.ClientID%>','<%=hfCreateFolderSubDirs.ClientID%>','<%=hfDeleteSubDirs.ClientID%>','<%=hfFileOverwriteSubDirs.ClientID%>','<%=hfUploadSubDirs.ClientID%>','<%=hfViewSubDirs.ClientID%>','<%=hfServerExplorerInitialSubDir.ClientID%>','<%=FileType%>','file','fileselect','btndisabled','<%=EnableViewFilesInDBID%>','<%=EnableUploadFilesInDBID%>','<%=EnableDeleteFilesInDBID%>','<%=EnableOverwriteFilesInDBID%>','<%=hfEnableViewFilesInDB.ClientID%>','<%=hfEnableUploadFilesInDB.ClientID%>','<%=hfEnableDeleteFilesInDB.ClientID%>','<%=hfEnableOverwriteFilesInDB.ClientID%>','<%=FileNameInDatabaseID%>','<%=file.ClientID%>','<%=EnableAmazonS3ID%>','<%=CreateFolderAmazonS3SubDirsID%>','<%=DeleteAmazonS3SubDirsID%>','<%=UploadAmazonS3SubDirsID%>','<%=ViewAmazonS3SubDirsID%>','<%=EnableAmazonS3CreateBucketID%>','<%=EnableAmazonS3DeleteBucketID%>','<%=hfEnableAmazonS3.ClientID%>','<%=hfCreateFolderAmazonS3SubDirs.ClientID%>','<%=hfDeleteAmazonS3SubDirs.ClientID%>','<%=hfUploadAmazonS3SubDirs.ClientID%>','<%=hfViewAmazonS3SubDirs.ClientID%>','<%=hfEnableAmazonS3CreateBucket.ClientID%>','<%=hfEnableAmazonS3DeleteBucket.ClientID%>',<%=IsAmazonS3Root().ToString().ToLower()%>,'<%=btnUploadAmazonS3.ClientID%>','<%=CurrentAmazonS3BaseHref%>','<%=CurrentAmazonS3BucketName%>')">


UltimateEditor.file.aspx has this flaw as well, in two places:
<body onload="Body_OnLoad('<%=Request.QueryString["ii"]%>','<%=Request.QueryString["ft"]%>','<%=Request.QueryString.ToString().Replace("'", "\\'")%>','<%=Request.QueryString["ei"]%>','<%=fileSource.ClientID%>','<%=txtAlt.ClientID%>','<%=ddlImageAlign.ClientID%>','<%=txtBorder.ClientID%>','<%=txtImageWidth.ClientID%>','<%=txtImageHeight.ClientID%>','<%=txtHSpace.ClientID%>','<%=txtVSpace.ClientID%>','<%=txtMediaWidth.ClientID%>','<%=txtMediaHeight.ClientID%>','<%=rbMediaLoopYes.ClientID%>','<%=ddlMediaAlign.ClientID%>','<%=ddlFlashQuality.ClientID%>','<%=txtFlashBackgroundColor.ClientID%>','<%=txtMediaID.ClientID%>','<%=hfFileSize.ClientID%>','divInsertImage','divInsertMedia','trFlashQuality','trFlashBackgroundColor','tblFile','<%=hfFileNameInDatabase.ClientID%>')">



<td style="padding-left:4px;font-family:Tahoma;font-size:11px;font-weight:bold;color:#FFFFFF"><%=Request.QueryString["wt"]%></td>

There are also flaws in the ultimateeditor.dll related to external controls of file names or paths, but , unfortuantely, I'm not able to provide any useful information on what those are. I suspect it's the functions that set the library file, etc, which seems like a dumb thing for Veracode to complain about.

At this point I don't know what to do about these because either ignore them (which I would prefer doing, but apparently I'm not allowed to), or replace ultimate editor with something else.

Can someone tell me if they've dealt with Veracode before while using UltimateEditor or UltimateSpell?

  
  05 Feb 2016, 3:50 PM
Karamasoft is not online. Last active: 11/10/2017 3:24:14 PM Karamasoft

Top 10 Posts
Joined on 09-05-2004
Posts 6,818
Re: Veracode Security issues with UltimateEditor
We are not familiar with Veracode but the Body_OnLoad method it is complaining about doesn't require any encoding since none of those parameters take value from a user input. As you can see they are enclosed in server script tags <%= ... %> and dynamically rendered based on your UltimateEditor configuration settings (generally ids) when the page is rendered.

For Request.QueryString values, you can try changing the Body_OnLoad code by wrapping each parameter inside a JS encode as follows:

<body onload='Body_OnLoad(encodeURI('<%=Request.QueryString['ii']%>'), ...

  
 Page 1 of 1 (2 items)
Karamasoft Support Forums » General Discussions » UltimateEditorMVC » Veracode Security issues with UltimateEditor

You can add attachments
You can post new topics
You can reply to topics
You can delete your posts
You can edit your posts
You can create polls
You can vote in polls
Forum statistics are enabled
Forum is unmoderated

© 2002-2018 Karamasoft LLC. All rights reserved.