Intersoft Community

Webcombo Security issue

sphinxg@usa.net — Thu, 23 Nov 2023 12:11:16 GMT

Hi,

I am using Intersoft webcombo in my ASP.Net Web application.

I am checking the application security using the tool semgrep for SAST (Static Application Security Testing).

While testing I face the below errors. The JavaScript generated by the webcombo is causing the issue .

Please help me to solve these issues.

Files in which error occured:

· CoreValidator.js
· Core_DragDrop.js
· ISCore.js
· WebUIValidation.js
· WebCombo.js

Error Message 1:

javascript.browser.security.insecure-document-method.insecure-document-method User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities

... e.innerHTML=v;WC40Engine.InvalidateResultBox(f);return v},WriteCOLs:function(f,d){var e="";if(f.LayoutSettings.ComboMode=="MultipleColumns"){var a= ...

... b.innerHTML="<nobr>"+l.Text+"</nobr>"}}else{var h=p.Columns;for(var k=0;k<h.length;k++){var f=h[k];if(f.Hidden&&!f.RenderOnHidden){continue}var q=f ...

Error Message 2:

javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `e` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.

…RegExp(c.Pattern,"img");g=c.NewValue.match(re);if(g==null){c.NewValue=c.NewValue.replace(new RegExp("\\s+","g"),"");g=c.NewValue.match(re)}if(g== ...

Error Message 3:

javascript.browser.security.eval-detected.eval-detected Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.

al(this.getAttribute(name))}}}},_EmulateSelectionModel:function(){Object.defineProperty(HTMLDocument.prototype,"selection",{get:function(){return w ...

Error Message 4:

javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization `h.replace` method will only replace the first occurrence when used with a string argument ("$"). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.

replace("$","\\s*\\"+i+"\\s*")}else{if(j=="percent"){h=h.replace(i,"\\s*\\"+i+"\\s*")}}h="(?:^"+h.replace(new RegExp("\\s*","g"),"")+"$)";return h} ...

With Regards,

Giridhar JG

Regarding XSS issue faced in the web combo.

sphinxg@usa.net — Tue, 01 Aug 2023 08:33:32 GMT

Hi,

We are facing the below mentioned security issue in one of our client environments.

A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result was manually verified to determine its accuracy.

Kindly find the attached screenshots for reference(Request and Response).

Kindly help us to resolve the same

Thanks in advance.

Regarding XSS issue faced in the web combo.

sphinxg@usa.net — Tue, 01 Aug 2023 08:31:46 GMT

Hi,

We are facing the below mentioned security issue in one of our client environments.

Kindly find the attached screenshots for reference(Request and Response).

Kindly help us to resolve the same

Thanks in advance.

Regarding XSS issue faced in the web combo.

sphinxg@usa.net — Tue, 01 Aug 2023 08:31:45 GMT

Hi,

We are facing the below mentioned security issue in one of our client environments.

Kindly find the attached screenshots for reference(Request and Response).

Kindly help us to resolve the same

Thanks in advance.

Regarding XSS issue faced in the web combo.

sphinxg@usa.net — Tue, 01 Aug 2023 08:30:25 GMT

Hi,

We are facing the below mentioned security issue in one of our client environments.

Kindly find the attached screenshots for reference(Request and Response).

Kindly help us to resolve the same

Thanks in advance.

Webgrid 10 upgrade

kalyan2984 — Thu, 22 Jun 2023 16:29:47 GMT

Hi,

We are trying to upgrade to Webgrid 10 version, and need support from the Intersoft team. Please let me know if you have any references.

Thank you

Install new version

roiu@a-g-r-e.com — Sun, 30 Oct 2022 14:49:31 GMT

Hi

I'm trying to install new version and i get only error.

If there is anyone familiar with the subject

I would be happy to help, even for a fee.

WebUi jquery version

roiu@a-g-r-e.com — Thu, 15 Sep 2022 05:20:55 GMT

I get errors that maybe related to the jquery version (my guess)

I tried to find what version is compatible for this product but I didn't find it.

What version I need ?

Is file IEMozBridge.js still required or is it a legacy file that may be deprecated/removed

mateusz.chabros@volvo.com — Thu, 25 Aug 2022 07:39:13 GMT

hello,

isnetweb ui is loading the file IEMozBridge.js to support old and deprecated versions of IE and FF.

For example the file loads function document.createStyleSheet.

Official documentation states that the method was removed long time ago: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182625(v=vs.85)#legacy-api-additions-changes-and-removals

Meaning that any other browser (except for IE) is not supposed to have such method at all.

and our web site doesn't support IE but Chrome,

Is file IEMozBridge.js still required or is it a legacy file that may be deprecated/removed?

Need License Information for WebUI

Bill0208 — Sat, 28 May 2022 16:31:44 GMT

I took over a project using the Intersoft WebUI controls. The prevous developer left without documenting the project now I am stuck trying to setup a DEV server without the liocense for the product. I need the license information desperately to move forward. Please help.