Security Issue - Fortify found a critical Issue

4 replies. Last post: March 14, 2014 12:33 AM by Yudi
Tags :
  • New Discussion
  • New Question
  • New Product Feedback
Eric Member

We have to mandatory do a static code analysis and are using the HP Fortify tool. It found a critical security issue in the JavaScript ISCore.js used by your WebGrid 8.0.7200.250. I haven't tried to exploit it, but please investigate and provide a detailed answer or hotfix about this issue. The issue found was marked as "Critical".

// Generated by Intersoft Script Optimizer V1.5 + Intersoft JS Engine MaxObfuscate(tm) V1.0 
// Generated Datetime : 12/20/2012 7:52:51 PM
// Copyright (c) 2005 Intersoft Solutions.
// Unauthorized decryption/reproduction of any codes contained herein is strictly prohibited and will result in severe civil and criminal penalties .
var isNetPage_ClientValidateCalled = false;
...
	},
	OnResponse: function (v0b866, vca044) {
		var v7df30 = v0b866.Control;
		var v0ff74 = v0b866.XmlHttp;
		if (vca044 != null) v0ff74 = vca044;
		if (!ISXmlHttpEngine) return;
		if (v0ff74 == null || typeof (v0ff74) == "undefined") return;
		if (v0ff74.readyState == 4) {
			var v4dd42 = v0ff74.getResponseHeader("Content-Type");
			var v13449 = v0ff74.status;
			if (v13449 == 204 || v13449 == 1223) {
				if (v0b866.LastAction != "" && v0b866.LastAction.indexOf("Execute") > -1 && v7df30.ClientProvider) v7df30.ClientProvider.CallbackHandler(new Object());
				if (v7df30.OnResponse) v7df30.OnResponse(new Object(), true);
				return;
			}
			var v7ab67 = v0ff74.getResponseHeader("IS-Redirect");
			if (v7ab67 == "true") {
				window.location = v0ff74.getResponseHeader("IS-Location");
				return;
			}
			var vac229 = (v4dd42 != null && v4dd42 != "" && v4dd42.indexOf("json") > -1);
...

The issue found is in this line:

				window.location = v0ff74.getResponseHeader("IS-Location");

Issue description from Fortify:

-----

Abstract:

The file ISCore.js passes unvalidated data to an HTTP redirect function on line 3388. Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.

 

Explanation:

Redirects allow web applications to direct users to different pages within the same application or to external sites. Applications utilize redirects to aid in site navigation and, in some cases, to track how users exit the site. Open redirect vulnerabilities occur when a web application redirects clients to any arbitrary URL that can be controlled by an attacker.

Attackers can utilize open redirects to trick users into visiting a URL to a trusted site and redirecting them to a malicious site. By encoding the URL, an attacker can make it more difficult for end-users to notice the malicious destination of the redirect, even when it is passed as a URL parameter to the trusted site. Open redirects are often abused as part of phishing scams to harvest sensitive end-user data.
-----

Please note that the line numbers won't match, as I have reformatted the obfuscated js file in order to be able to report the relevant section here.

Please provide a hotfix or a detailed explanation why this would be a false-postive. It doesn't look like a false-positive to me.

Thanks

All times are GMT -5. The time now is 10:05 AM.
Previous Next