 05 Feb 2016, 1:48 PM
|
scott.korin
Joined on 03-15-2013
Posts 3
|
 Veracode Security issues with UltimateEditor
|
|
|
|
Veracode is a platform for scanning web applications for security flags as defined by the Common Weakness Enumeration project. My parent company has informed us that we must scan our software using Veracode. Our applications use the MVC versions of UltimateEditor and UltimateSpell, and Veracode found several "medium" flaw.
CWE 80: Improper Neutralization of Script-Related HTML Tags in a Web Pagte (Basic XSS):
ultimateeditor.explorer.aspx had this flaw 29 times, all on line 18.
Line 18 shows a bunch of attributes being set in the Body_OnLoad function. None of these values are being encoded to make sure the don't include invalid HTML. I have no idea how these values are being set, so I don't know what to tell my security auditor about these 29 flaws:
<body onload="Body_OnLoad('<%=ultimateEditorID%>','<%=IncludePath%>','<%=FileSourceID%>','<%=FileSizeID%>','<%=AttachmentFileTypesID%>','<%=FlashFileTypesID%>','<%=ImageFileTypesID%>','<%=LinkFileTypesID%>','<%=TemplateFileTypesID%>','<%=WindowsMediaFileTypesID%>','<%=CreateFolderSubDirsID%>','<%=DeleteSubDirsID%>','<%=FileOverwriteSubDirsID%>','<%=UploadSubDirsID%>','<%=ViewSubDirsID%>','<%=ServerExplorerInitialSubDirID%>','<%=hfNewFolderName.ClientID%>','<%=hfDeletePath.ClientID%>','<%=imgPreview.ClientID%>','frmPreview','<%=ibCreateFolder.ClientID%>','<%=fileToUpload.ClientID%>','<%=btnUpload.ClientID%>','<%=hfPageStatus.ClientID%>','<%=PAGE_STATUS_HIDDEN_IS_SET%>','<%=hfAttachmentFileTypes.ClientID%>','<%=hfFlashFileTypes.ClientID%>','<%=hfImageFileTypes.ClientID%>','<%=hfLinkFileTypes.ClientID%>','<%=hfTemplateFileTypes.ClientID%>','<%=hfWindowsMediaFileTypes.ClientID%>','<%=hfCreateFolderSubDirs.ClientID%>','<%=hfDeleteSubDirs.ClientID%>','<%=hfFileOverwriteSubDirs.ClientID%>','<%=hfUploadSubDirs.ClientID%>','<%=hfViewSubDirs.ClientID%>','<%=hfServerExplorerInitialSubDir.ClientID%>','<%=FileType%>','file','fileselect','btndisabled','<%=EnableViewFilesInDBID%>','<%=EnableUploadFilesInDBID%>','<%=EnableDeleteFilesInDBID%>','<%=EnableOverwriteFilesInDBID%>','<%=hfEnableViewFilesInDB.ClientID%>','<%=hfEnableUploadFilesInDB.ClientID%>','<%=hfEnableDeleteFilesInDB.ClientID%>','<%=hfEnableOverwriteFilesInDB.ClientID%>','<%=FileNameInDatabaseID%>','<%=file.ClientID%>','<%=EnableAmazonS3ID%>','<%=CreateFolderAmazonS3SubDirsID%>','<%=DeleteAmazonS3SubDirsID%>','<%=UploadAmazonS3SubDirsID%>','<%=ViewAmazonS3SubDirsID%>','<%=EnableAmazonS3CreateBucketID%>','<%=EnableAmazonS3DeleteBucketID%>','<%=hfEnableAmazonS3.ClientID%>','<%=hfCreateFolderAmazonS3SubDirs.ClientID%>','<%=hfDeleteAmazonS3SubDirs.ClientID%>','<%=hfUploadAmazonS3SubDirs.ClientID%>','<%=hfViewAmazonS3SubDirs.ClientID%>','<%=hfEnableAmazonS3CreateBucket.ClientID%>','<%=hfEnableAmazonS3DeleteBucket.ClientID%>',<%=IsAmazonS3Root().ToString().ToLower()%>,'<%=btnUploadAmazonS3.ClientID%>','<%=CurrentAmazonS3BaseHref%>','<%=CurrentAmazonS3BucketName%>')">
UltimateEditor.file.aspx has this flaw as well, in two places:
<body onload="Body_OnLoad('<%=Request.QueryString["ii"]%>','<%=Request.QueryString["ft"]%>','<%=Request.QueryString.ToString().Replace("'", "\\'")%>','<%=Request.QueryString["ei"]%>','<%=fileSource.ClientID%>','<%=txtAlt.ClientID%>','<%=ddlImageAlign.ClientID%>','<%=txtBorder.ClientID%>','<%=txtImageWidth.ClientID%>','<%=txtImageHeight.ClientID%>','<%=txtHSpace.ClientID%>','<%=txtVSpace.ClientID%>','<%=txtMediaWidth.ClientID%>','<%=txtMediaHeight.ClientID%>','<%=rbMediaLoopYes.ClientID%>','<%=ddlMediaAlign.ClientID%>','<%=ddlFlashQuality.ClientID%>','<%=txtFlashBackgroundColor.ClientID%>','<%=txtMediaID.ClientID%>','<%=hfFileSize.ClientID%>','divInsertImage','divInsertMedia','trFlashQuality','trFlashBackgroundColor','tblFile','<%=hfFileNameInDatabase.ClientID%>')">
<td style="padding-left:4px;font-family:Tahoma;font-size:11px;font-weight:bold;color:#FFFFFF"><%=Request.QueryString["wt"]%></td>
There are also flaws in the ultimateeditor.dll related to external controls of file names or paths, but , unfortuantely, I'm not able to provide any useful information on what those are. I suspect it's the functions that set the library file, etc, which seems like a dumb thing for Veracode to complain about.
At this point I don't know what to do about these because either ignore them (which I would prefer doing, but apparently I'm not allowed to), or replace ultimate editor with something else.
Can someone tell me if they've dealt with Veracode before while using UltimateEditor or UltimateSpell?
|
|
|
|
|
|
|
|
|