Vulnerable Webhelp for XSS cross site scripting checking. Reason - document.location.href

Online help, created by the team through a security vulnerability checking now. It was found that integration of webhelp with the application, document.location.href is a vulnerable point according to the XSS cross site scripting. Please your thoughts and all the methods that you have that can contain this situation. Its emergency, please help.

You can update your copy with the help > update or web page: http://www.adobe.com/downloads/updates/

Tags: Adobe

Similar Questions

  • DOM-Cross Site Scripting Vulnerability (http-client-side-xss) cased by a SharePoint 2010 file: MS. USER INTERFACE. Pub.Ribbon.js

    Hello

    We have implemented a portal that is connected to the Internet by using SharePoint 2010. We used a vulnerability scanner, called Rapid7 (https://www.rapid7.com).

    He noted that the portal is vulnerable to the based on DOM cross-site-scripting (XSS). The affected file is a SharePoint integrated in the Layouts folder: MS. USER INTERFACE. Pub.Ribbon.js

    The detailed message is as below:

    / _layouts/SP. USER INTERFACE. Pub.Ribbon.js line 94: exit dangerous customer call showUnapprovedXmlHttp.send () with the concatenation of 94:String argLine contaminated with the concatenation of 94:String valueLine controlled by the user with the concatenation of 94:String valueLine controlled by the user with the concatenation of 94:String valueLine of controlled use with the concatenation of 94:String controlled by the user valueLine with 94:Result valueLine controlled by the user of taint where are stored the calling function on ordered valueLine 94 : "document. URL.split... "... Split toLowerCase ' is controlled by the user

    References:

    Source Reference
    CERT CA-2000-02
    OWASP-2010 A2
    OWASP-2013 A3
    URL http://en.Wikipedia.org/wiki/Cross_site_scripting
    URL http://www.webappsec.org/projects/articles/071105.shtml

    Please advise on how to solve the problem of Security reported.

    Thank you

    Randy

    Hello Randy,

    Thanks for posting your question on the Forum of the Microsoft community.

    The question will be better suited to the audience of it professionals on the MSDN forums.

    I would recommend posting your query in the MSDN Forums.
     
    MSDN forum
    http://social.msdn.Microsoft.com/forums/SharePoint/en-us/home?Forum=sharepointgeneralprevious

    Thank you

  • ToStaticHTML MS IE String Cross - Site Scripting Vulnerability associated with the processing of alarms

    Hello

    I was wondering if someone else has noted an increase in false positives on the 2 following competitions:

    -Microsoft Internet Explorer toStaticHTML String Cross - Site Scripting Vulnerability related to treatment

    -Microsoft Office Excel Ghost Record analysis of arbitrary Code execution vulnerability

    Obvisouly I see these events because the signature has been introduced recently.

    But I wonder if these alarms I get are authentic (and I have a big problem), or if the signature must be "set" by Cisco to be a little less sensitive?

    Anyone who has experienced something similar or can enlighten?

    Thank you

    SEB.

    Hello Seb,

    As a result of this thread, we have identified a false positive in signature 30419 and corrected the signature. The signature change is currently under review and is likely to do the update of signature which releases next week.

    Please let me know if I can help with anything whatsoever in addition under this thread. If your question has been answered, please mark the thread as such so that it is useful to other users. Also, feel free to note this thread to take account of your experience.

    Thank you

    Blayne Dreier

    Cisco TAC team climbing

    * Please see our Podcasts *.

    TAC security show: http://www.cisco.com/go/tacsecuritypodcast

    TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

  • How to disable Adobe cross-site scripting.

    disable Adobe cross-site scripting. I have a vista running on a laptop

    http://forums.Adobe.com/index.jspa

    Try the Forums Adobe above, relating to your question.

    Or Vista programs Forum:

    It's updated operating system Vista, upgraded installation and activate Forum.

    http://social.answers.Microsoft.com/forums/en-us/vistaprograms/threads

    They will help you with your question in Forum Vista programs at the above address.

    See you soon.

    Mick Murphy - Microsoft partner

  • Script injection virus / Cross-Site Scripting

    I had a page on a simple website for a pirate restaurant this week, and I'm looking for some advice.  The hacker managed to get an iframe tag on the homepage of the site and the content of the iframe was pretty nasty turn a few computers in stops, at least temporarily.

    My hosting company, HMS, takes the position that the tag went up in the page index.html, through a possibility of script, not no matter what hole in the security of their server.  So, I try to understand where they got.

    a few facts:

    • site is HTML only.  Not dynamic.
    • It is has a mail.asp on the server page, but it was not used or linked to any page. (and oddly enough, the site is on a linix server, so I think that a contribute user has slept with who at one point)
    • the site uses opentable.com, which is an online booking system which uses an iframe. (I'm asking them to assess whether or not their script could be a problem.
    • the only infected page, index.html, haven't had no call to external scripts inside - no call to any outside no files at all, not even a CSS file. It contained only internal DW javascripts like MM_swapImage html tags and a few images.
    • The site is enabled for Contribute. (I'm trying in vain to remove this, but that's another story)

    If anyone can help me understand how a site like this could be compromised, I'd appreciate it.

    by passing the ball, your Web site hosting provider isn't very good.  any decent host is have external firewall protection and insist that make their servers scans of minimum annual intrusion.  your html page should not cause their servers for bricks, especially if it's a virtual or shared solution.

  • One login for two different sites of the BC

    I have a client who has created two different sites of BC due to the product of the limit of two Types of pricing. Site 1 has the retail and dealer price and location 2 is distributor and master distributor prices.

    Site 1 is the main and has documents in a neighborhood secure requiring access to all levels of the four user, my client would like to allow customers to have a single login for both sites for users of site 2 can access documents in a space secured on site 1 without having to maintain two connections.

    Anyone know if it's feasible say with a biscuit or a special script?

    Thank you

    Barry

    Barry H, you must set up a system which hangs in the API of so, but that is at the heart of CRM and interacts with both sites.

  • Secure connection has no error - for almost all sites!

    Mozilla Firefox began vomiting following for almost all Internet sites error message I usually access!

    The error:

    The secure connection failed

    The connection to the server was reset while the page is loading.

       The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the web site owners to inform them of this problem.

    I use a laptop computer Lenovo z580 with Windows 7 Home Premium with Firefox installed 41.0.2.
    I checked the proxy settings, and they are the same in Firefox, like in other browsers (IE and Chrome).
    I checked the settings of the system time, and there is no problem there.

    I'm unable to download images for a reason, so I downloaded the images (of the error messages for different Web sites to http://s912.photobucket.com/user/sushd/library/Firefox

    Any help is appreciated.

    TIA

    Make a check of malware with several malware scanning of programs on the Windows computer.

    Please scan with all programs, because each program detects a different malicious program.
    All of these programs have free versions.

    Make sure that you update each program to get the latest version of their databases before scanning.

    Alternatively, you can write a check for an infection rootkit TDSSKiller.

    See also:

  • "The certificate is not reliable because no sender string has been provided" error in all browsers for all Web sites.

    As it is said, Chrome, Firefox and Internet explore all give the error message certificate for each attempted site - including the Firefox Add-ons page. The specific error is the "no transmitter channel has given".

    (1) this problem is not on my computer - it's on my mom's computer in another city. Therefore, I can't try each possibility bit without fly there - I'm looking for things I can tell him to do it by phone. The problem started today. I already have him given the list of anti-malware programs to install and run from here:

    https://support.Mozilla.org/en-us/questions/982393

    Note that, of course, she will have to accept the substitution of security certificate to do these things - I hope that's not bad.

    (2) the problem began after that she tried to use Skype, it hung for a very long time and would never connect you. So she tried to reinstall - and she said she clicked through a number of screens agreement and believes she could have installed 3rd third party software malware. It of ridiculous, Skype now put malware onto the computers of people through these false 3rd party add-ons installation? I guess it's possible Skype has been suspended due to some other problem - but she was able to reinstall Skype and managed to do work (but now its internet certificates will not be).

    (3) it have BitDefender. I am aware that it is said here:

    https://support.Mozilla.org/en-us/KB/connection-untrusted-error-message

    that she must turn off SSL scanning. She turned it off, it has not solved the problem. She turned off and restarted, it does not solve the problem. She has had for the last 6 months and it has never caused a problem.

    (4) in addition, BitDefender has announced today that he stopped a malicious program called MySearchDial.exe to try something, it should not. We went through this removal guide:

    http://malwaretips.com/blogs/start-mysearchdial-removal/

    However, the MySearchDial software was never actually installed in the windows install list, and we found no addons/plugins in the browser list (notice that Firefox Add-ons are not accessible with a certificate error, it gives the error message but DO NOT give you the ability to add an exception so that you cannot access the Add-ons). The only thing we found was b MySearchDial was by default in IE search engine list, despite the fact that there is no add-on, and (b) MySearchDial.exe in the folder temp (now deleted). I see I got BitDefender scan the temp folder * before * I deleted MySearchDial.exe, and he said some threats not found. What? This is BitDefender that warned me of this in the first place!

    Date and time 5) are correct.

    (6) checked the Windows 7 install, only Skype, Skype Click-to-Call, and (for some reason any) Microsoft Visual Studio 2010, and Visual C++ have been installed or modified today. I'm paranoid about Click-to-call and requested to uninstall, but it does not solve the problem.

    (7) the operating system is Win7 home 64 bit.

    Something beyond the malware removal without end of the programmes (via the above linked list) that we should try?

    OK - Malwarebytes fixed it. It turns out VisualBee browser backup were also there and Malwarebytes found and deleted.

    After this happened, the errors of certificate went, but she doesn't still could not connect because the computer was then manually set a proxy server, but it was easy to fix by returning to the automatic detection of settings.

    Thank you all for your suggestions.

  • Hi, I answered no to the question on the registration of password for a spesific site. I changed my mind and would like Firefox to save the password. How to re-enable password for a spesific site saver?

    Hi, I answered no to the question on the registration of password for a spesific site. I changed my mind and would like Firefox to save the password. How to re-enable password for a spesific site saver?

    Check the list of exceptions to your Firefox password manager and check if your site is there or not?

  • couldn't update for windows XP / IE Script errors

    My OS is XP Professional 2003 and there has never been an automatic priority update Windows do not install so far. The update is KB981793. I looked and it is essentially an update of time thingy for the computer, however, since the first failure to load it keeps loading in my bar, next to my clock and tells me that the updates are ready for my computer and it is constantly the same one that fails. So no matter how many times I try to install it, 5 min later, he's back and I cannot make install or get out. My computer has all the current updates and SP3 is installed.
    My second problem now, I hope that when you know what you are doing, is a simple explanation and fix. I'm getting now constantly an "IE Script error" on virtually every Web page I'm opening.  A few pages that I must accept the run script 2 to 10 times button to clear all the Script error pop up that took place on this page. I do not understand what a script error is actually or where it is produced or, more importantly, how messed up he tells me my computer or a program is. 6 months ago I maybe got 1 or 2 errors per week, in the last days 4-6, it is multiplied by experience of script. The current pop-up reads "an error has occurred in the script on this page." Then he asks "do you want to continue running the script on this page? Yes or no, and of course you say yes, so you can continue then within 5-10 seconds later, a small pop up in the corner said "IE has encountered a problem and needs to close", then he said "this tab has been recovered. A problem with this webpage caused IE to close and reopen the tab. "That is usually held twice in a row. Then you're almost through with Internet Explorer running and you will need to re launch.  Can you give me pls advise on what I should do. TYVM

    A1. See the section "Updates since the previous cumulative Windows time zone update" on this page:http://support.microsoft.com/kb/981793

    If you do NOT live in one of these zones, you can hide this update optional, not security.

    A2. You will find support for IE in this forum: http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/threads

    That being said...

    IE tools | Internet Options | Advanced | Disable the debug script)<=check nable="" this="" option);="" display="" a="" notification="" about="" every="" script="" error=""><=uncheck isable="" this="" option)="" |="" ok="" your="" way="">

    ~ Robear Dyer (PA Bear) ~ MS MVP (that is to say, mail, security, Windows & Update Services) since 2002 ~ WARNING: MS MVPs represent or work for Microsoft

  • E-mail: I received an email that I won the microsoft Splash for 2010 promotion. Please check to see if this is correct or if it is a spam?

    I received an email that I won the microsoft Splash for 2010 promotion. Please check to see if this is correct or if it is a spam? The name gicen is Mr. James Peterson.

    I don't want to divulge personal information is that this isn't for real.

    Thank you for your time and concern. I look forward to hear from you.

    E-mail address is removed from the privacy *.

    Avoid scams that use the Microsoft name fraudulently

    Cybercriminals often include the names of well-known companies, such as ours, in their scams. They think it will convince you to give them money or your personal information. While they usually use e-mail to you wrong, that they sometimes use the phone instead.

    Common scams that use the Microsoft name

    • "You have won the Microsoft Lottery"
    • Microsoft "requires credit card information to validate your copy of Windows.
    • Microsoft sends unsolicited e-mail with attached security updates
    • A person of "Microsoft Support" calls to fix your computer

    Avoid these dangerous hoaxes

    We do not send unsolicited e-mail or make unsolicited telephone calls asking for personal information or financial or repair your computer.

    If you receive an unsolicited e-mail or phone call which is supposed to be from Microsoft, and request that you send personal information or click on the links,delete the email or hang up the phone .

    You did not win the "Microsoft Lottery".

    Microsoft customers are often the target of a scam that uses e-mail messages falsely promising money. Victims receive messages saying: 'You have won the Microsoft Lottery!' There is no Microsoft Lottery. Delete the message.

    If you have lost money to this scam, report it . You can also send the police report to Microsoft and we will use it to help law enforcement catch criminals who send these e-mails.

    For more information, see Microsoft report fraud Lottery . To protect yourself against these e-mail hoaxes, you can use the same general orientation you use to protect yourself from phishing scams to protect you from these e-mail hoaxes.

    Microsoft do not ask for credit card information to validate your copy of Windows

    We require that your copy of Windows is legitimate before you can obtain programs from the Microsoft Download Center and to receive software updates from Microsoft Update . Our online process that performs this validation is called the Genuine Advantage Program. at no time during the validation process we request your credit card information.

    In fact, we collect any information that can be used to identify you, such as your name, e-mail address or other personal information.

    For more information, read the Microsoft Genuine Advantage Privacy . To learn more about the program in general, see genuine Microsoft software .

    Microsoft sends no communication unsolicited on security updates

    When we publish information about a security software update or security incident, send us e-mail messages only to subscribers of our security communications program.

    Unfortunately, Cybercriminals have benefited from this program. They sent fake security messages that appear to come from Microsoft. Some messages to attract the recipients to Web sites to download spyware or other malicious software. Others include an attachment that contains a virus . Delete the message. Do not open the attachment.

    Legitimate security communications from Microsoft

    • Legitimate communications do not include software updates as attachments. We never attach software updates to our security communications. On the contrary, we refer customers to our Web site for more information on the update or the software security incident.
    • Legitimate communications are also on our websites. If we provide information about a security update, you can also find this information on our Web sites.

    = Microsoft has none of the unsolicited telephone calls to help you fix your computer

    In this type of scam cybercriminals are calling you and claim to be of Support technique Microsoft. They offer help with your computer problems. Once scammers have earned your trust, they try to steal and damage your computer with malicious software, including viruses and spyware.

    Although the law enforcement can trace phone numbers, often authors use pay telephones, disposable cell phones or stolen cellular phone numbers. Better avoid fooling themselves rather than try to repair the damage afterwards.

    Treat all unsolicited sceptically telephone calls. Don't provide personal information.

    = If this post can help solve your problem, please click the 'Mark as answer"If you find it useful, mark it as useful by clicking the 'Useful' button at the top of this message. Marking a post as answer, or relatively useful, you help others find the answer more quickly.

  • DNS server and mail cross-site fell down.

    After restarting the Windows Server2008, the DNS server and mail cross-site not may start automatically. So I want to start these two are manual. There is no information in the log file or no code error on this issue. How can I solve this problem? Anyone knowing the solution please answer me. Waiting for your valuable suggestions.

    http://www.Microsoft.com/windowsserver2008/en/us/forums-blogs.aspx

    Repost in the above Forums Windows Server 2008.

    These are the Vista Forums.

    See you soon.

    Mick Murphy - Microsoft partner

  • Table for the code for method of payment for the suppliers site

    Hi all, does anyone knows how to get the value for the code for method of payment for the suppliers site in R12.1.3? I don't speak from that in the following path: 1 Paybles responsibility 2. Suppliers 3. Request for a 4 suppliers. Click on details of payment 5. Scroll to supplier Sites and press the update button 6. Note that, for example among the payment methods is checked as default thanks in advance, A.Stoynaov

    Hello

    Please check this note that contains the query:

    Default values for method of payment for providers at the level of the Table (Doc ID 737128.1)

    You can use this query to view the lines for a given provider site:

    SELECT *.

    Of iby_ext_party_pmt_mthds IEPPM

    WHERE IEPPM.ext_pmt_party_id IN

    (SELECT IEP.ext_payee_id

    Of iby_external_payees_all IEP

    WHERE IEP.supplier_site_id IN

    (SELECT APSS.vendor_site_id

    Of ap_supplier_sites_all of the PSA, ap_suppliers APS

    WHERE APS.vendor_id = APSS.vendor_id

    AND APS.vendor_name = '. '

    AND APSS.vendor_site_code = ''));

    Concerning

    Joel Purswani

    Support of Oracle

  • How to find the date, I bought creative cloud so to know if I am eligible for free hosting sites.

    Hello


    I want to know if I am eligible for the free sites, I'm aware that the end date is April 30, 2015. I don't know if I am registered before or after the deadline. In addition, apply to students in terms of students and teachers? I intend to launch a Web site shortly and I want to know if I would save money with Adobe Business Catalyst launch. Thank you

    Hello

    You can check the date in the history of the order under your account on Adobe.com.

    Kind regards

    Sheena

  • When you add a new site, Keychain prompt for all existing sites

    With 2015 CC update, when I add a new Dreamweaver site, as soon as I hit him "done" once all the ftp information is entered, I get a prompt Keychain for each existing site, I saved in Dreamweaver: "Adobe Dreamweaver CC 2015 wants to use your confidential data stored in 'Sitename-SiteServer 1' in your keychain. You want to allow access to this point? »

    I was well with crossed the first steps, assuming it wouldn't ask me once again, but he does. Every time.

    By clicking on 'Always allow' vs. 'Allow' does not seem to do much, but I don't want to test it a lot because I have to go through 80 + sites every time to see if it changes anything.

    Any experience with this? Is it a thing of access door key or a thing of Dreamweaver?

    The note of the problems at the FTP credentials won't be remembered is NOT my problem. All credentials are stored; I can switch between all sites without problem, or any guest. This happens only when I add a new site.

    Any help would be greatly appreciated!

    Dreamweaver CC 2015

    Screen Retina MacBook Pro mid 2012
    Yosemite 10.10.3

    This will help to get rid of it helps Dreamweaver | Set up a test server

Maybe you are looking for