TechNote

Security issue and patch for Dreamweaver/DRK server behaviors

Issue

Recently, Macromedia became aware of a security issue with some of the server behaviors present in Dreamweaver MX, all versions of UltraDev, and two extensions that shipped as part of the Developers Resource Kit (DRK), vol. 2 and vol. 4. If exploited, it is possible for an attacker to gain access to certain site-specific cookie and session information.

Reason

Cross-site scripting, known as XSS, is gaining popularity as a way to capture sensitive user data from a client's browser. XSS attacks are unique in that they occur completely on the client. The attacker injects JavaScript into the web page via a URL parameter. The browser then executes this code as if it was intended by the original author.

Server behaviors which use a redirect of a URL via a variable passed to the page are susceptible.

In Dreamweaver MX the following server behaviors use this mechanism and are affected:

ASP JS & VB:
- Login User, Insert Record, Update Record, Delete Record
PHP:
- MoveTo behaviors, Insert, Update, Logout
JSP:
- MoveTo behaviors, Goto detail or related page, Insert, Update, Delete, Login user
ColdFusion (Dreamweaver MX code):
- MoveTo behaviors, Login user
ColdFusion (Dreamweaver UltraDev 4 code):
- MoveTo behaviors, Goto detail or related page, Insert, Update, Delete, Login user

Users of the following DRK extensions are also affected:

DRK vol 2:
- PHP User Authentication Behaviors and Master-Detail Page extensions
DRK vol 4:
- Simple Search extension

Solution

Patches to Dreamweaver MX and these DRK extensions fix this issue. Developers with sites that use these behaviors should download the applicable updates and install them to Dreamweaver MX.

Download the necessary extension(s)
Users should download all of the extensions that are pertinent. For example, if developer have used both the standard Dreamweaver Insert server behavior and the Master Detail Page php extension from the DRK vol. 2, then they should download and install both extensions. The following patches are available:

Dreamweaver MX:
- Download this updater ( dwmx_xss.mxp ) if using Dreamweaver MX and server behaviors mentioned above.
Master Detail Page PHP DRK extension:
- Download this updater ( masterdetailphp_xss.mxp ) if using the PHP Master Detail Page extension available in the DRK, vol. 2.
PHP User Authentication DRK extension:
- Download this updater ( phpua_xss.mxp ) if using the PHP User Authentication behaviors available from the DRK, vol. 2.
Simple Search DRK extension:
- Download this updater ( simplesearch_xss.mxp ) if using the Simple Search extension available from the DRK, vol. 4.

Install the extension(s)

After downloading the extensions, launch Macromedia Extension Manager and install the each extension (File > Install Extension).
Restart Dreamweaver to make the changes take effect.

Reapply the behaviors

Once you have installed the extensions, reapply the updated server behaviors to those pages which used the affected server behaviors by deleting the existing server behaviors and inserting the new ones on your pages . Redeploy these pages.

If you are using Java 1.0, and are using the MoveTo behaviors, Goto detail or related page, Insert, Update, Delete, or Login user, you will need to replace the fix inserted by the above patch. For example, if you have a page that includes the Insert, Update, or Delete server behaviors and have applied the above patch:

Search for this code in your page:

 queryString = queryString.replaceAll("<","<"); queryString = queryString.replaceAll(">",">"); queryString = queryString.replaceAll("\"","""); MM_editAction += "?" + queryString;

And replace it with this code:

 String tempStr = ""; for (int i=0; i < queryString.length(); i++) { if (queryString.charAt(i) == '<') tempStr = tempStr + "<"; else if (queryString.charAt(i) == '>') tempStr = tempStr + ">"; else if (queryString.charAt(i) == '"') tempStr = tempStr +  """; else tempStr = tempStr + queryString.charAt(i); } MM_editAction += "?" + tempStr;

You'll need to perform a similar search and replace operation in your pages that include the other affected server behaviors with the applied patch. However, note that the variables ˜queryString' and ˜MM_editAction' used in the above example, will be different for the other affected server behaviors.