on 2011 May 13 12:47 PM
Hi,
We have customized the SAP toolarea and search iview to redirect the user to our internal search engine page along with its search query string.
Now, url parameters for com.sap.portal.innerpage are causing XSS threats as follows:-
https://<vendorURL>/irj/servlet/prt/portal/prteventname/Navigate/prtroot/pcd!3aportal_content!2fcom.<vendor>.layout.AoPortalLayoutFolder!2fcom.<vendor>.layout.DesktopFolder!2f<vendor>Desktop_1!2fframeworkPages!2fframeworkpage_1!2fcom.sap.portal.innerpage?url=<url to search engine followed by script entities>&system=<system alias name followed by script tag>&windowId=WID1290076312917&NavigationTarget=ROLES%3Aportal_content%2Fcom.atosorigin.layout.AoPortalLayoutFolder%2Fcom.atosorigin.layout.iViews%2Fcom.atosorigin.atosSearch&RelativeNavBase=&Command=SUSPEND&SerPropString=&SerKeyString=&SerAttrKeyString=&DebugSet=&Embedded=true&SessionKeysAvailable=true
The scripts places here are getting executed. This exposes the application to serious XSS threat.
url=<url to search engine followed by script entities>
&system=<system alias name followed by script tag>
Is there any way to validate these URL parameters before they are processed?
Please help.
Thanks and regards,
Amey
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
77 | |
10 | |
10 | |
10 | |
10 | |
9 | |
8 | |
7 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.