Cross-site scripting security issue in Dreamweaver MX and Dreamweaver UltraDev server behaviors
Issue
There is a security issue with some of the server behaviors in Dreamweaver MX, Dreamweaver UltraDev 4, Dreamweaver UltraDev 1, and two extensions that shipped as part of the Developer's Resource Kit (DRK), vol. 2 and vol. 4. If exploited, this issue makes it possible for an attacker to gain access to certain site-specific cookie and session information. (Ref. 146889)
Note: This security issue has been fixed in Dreamweaver MX 2004 and later versions.
Reason
Cross-site scripting, known as XSS, is a way to capture sensitive user data from a client's browser. XSS attacks are unique in that they occur completely on the client. The attacker injects JavaScript into the web page via a URL parameter. The browser then executes this code as if it was intended by the original author of the web page.
Server behaviors which use a redirect of a URL via a variable passed to the page are susceptible to this type of attack. In Dreamweaver MX, Dreamweaver UltraDev 4, and Dreamweaver UltraDev 1, the following server behaviors use this mechanism and are affected:
- ASP JavaScript & ASP VBScript: Log In User, Insert Record, Update Record, and Delete Record
- JSP: Move To <X> Record, Go To Detail Page, Go To Related Page, Insert Record, Update Record, Delete Record, and Log In User
- ColdFusion: Move To <X> Record, Go To Detail Page, Go To Related Page, Insert Record, Update Record, Delete Record, and Log In User
For example, Dreamweaver MX, Dreamweaver UltraDev 4, and Dreamweaver UltraDev 1 write the following code when you apply the Insert Record server behavior:
ASP JavaScript
//set the form action variable
var MM_editAction = Request.Server.Variables("URL");
if (Request.QueryString) {
MM_editAction += "?" + Request.QueryString;
}
ASP VBScript
MM_editAction = CStr(Request("URL"))
If (Request.QueryString <> "") Then
MM_editAction = MM_editAction & "?" & Request.QueryString
End If
JSP
//set the form action variable
String MM_editAction = request.getRequestURI();
if (request.getQueryString() != null && request.getQueryString().length() > 0) {
MM_editAction += "?" + request.getQueryString();
}
ColdFusion
// set the form action variable
MM_editAction = CGI.SCRIPT_NAME;
If(CGI.QUERY_STRING NEQ "") {
MM_editAction = MM_editAction & "?" & CGI.QUERY_STRING;
}
Solution
This problem has been fixed in Dreamweaver MX 2004 and later versions.
If you use Dreamweaver MX, Dreamweaver UltraDev 4, and Dreamweaver UltraDev 1,and you have applied server behaviors to your pages, you can modify your pages to prevent this vulnerability from being exploited.
Depending on the server model that you use, update the code on your pages to use HTML encoding, XML encoding, or URL encoding around the variable before using it in the redirect. This will cause any attempt to exploit the vulnerability to fail, and will cause the script created by a hacker to be displayed on the user's machine rather than executed.
Edit the server behavior code on your page to use the appropriate encoding, as shown in yellow highlighting below:
ASP JavaScript
// set the form action variable
var MM_editAction = Request.Server.Variables("URL");
if (Request.QueryString) {
MM_editAction += "?" + Server.HTMLEncode( Request.QueryString ) ;
ASP VBScript
MM_editAction = CStr(Request("URL"))
If (Request.QueryString <> "") Then
MM_editAction = MM_editAction & "?" &Server.HTMLEncode( Request.QueryString )
End If
JSP (for Java 1.0)
// set the form action variable
String MM_editAction = request.getRequestURI();
if (request.getQueryString() != null && request.getQueryString().length() > 0) {
String queryString = request.getQueryString();
String tempStr = "";
for (int i=0; i < queryString.length(); i++) {
if (queryString.charAt(i) == '<') tempStr = tempStr + "<";
else if (queryString.charAt(i) == '>') tempStr = tempStr + ">";>
else if (queryString.charAt(i) == '"') tempStr = tempStr + """;
else tempStr = tempStr + queryString.charAt(i);
}
MM_editAction += "?" + tempStr;
}
JSP (for Java 1.4)
//set the form action variable
String MM_editAction = request.getRequestURI();
if (request.getQueryString() != null && request.getQueryString().length() > 0) {
String queryString = request.getQueryString();
queryString = queryString.replaceAll("<","<");
queryString = queryString.replaceAll(">",">");
queryString = queryString.replaceAll("\"",""");
MM_editAction += "?" + queryString ;
}
ColdFusion
// set the form action variable
MM_editAction = CGI.SCRIPT_NAME;
If(CGI.QUERY_STRING NEQ "") {
MM_editAction = MM_editAction & "?" &XMLFormat( CGI.QUERY_STRING );
}
Additional Information
For concerns or questions about this document please email: DWMPSB0305@macromedia.com.
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
