Skip to main content
1
123majorBates
Participant
January 28, 2010
Question

Beware - serious breach - cross site scripting errors in RoboHelp 8.0

  • January 28, 2010
  • 1 reply
  • 703 views

I have compiled a WebHelp project (about 120 topics) in RoboHelp 8.0. The compiled project is then merged with the application. As part of our testing, the application is run through a security testing product called Fortify. This product finds cross site scripting errors whenever a topic is called directly from the application and also when the menu driven help is called. I noticed this was a reported problem with versions 6 and 7 with a patch available to address it. Does this patch work with version 8 also? If not, is a patch available?

Have spoken to level 2 support of Robo and nothing is planned to patch this very serious breach in the near term, so be very careful how you deploy WebHelp. In fact, we are not going to use the product - way too much risk.

This topic has been closed for replies.

1 reply

johndaigle
johndaigle
Legend
February 16, 2010

Hi,123majorBates and welcome to the Forums.

Any outstanding security issues with RoboHelp 6 and 7 were taken care of in the development of RoboHelp 8, so it would not be necessary to install those patches.

However, you would also want to install any updates to RoboHelp 8 if you have not already. Though, these were not issued specifically for scripting vulnerabilities per se, make sure you have updates 8.0.1 and 8.0.2 installed. You will find them here:

http://www.adobe.com/support/robohelp/downloads.html

You didn't mention whether you were using WebHelp Pro with RoboHelp Server 8? In the event you are, there was a security update for RoboHelp Server 8 a couple of months ago. You will find it here on the Adobe Tech Comm blog.
 http://blogs.adobe.com/techcomm/2009/09/security_update_available_for_robohelp_server_8.html

Finally, please email me the Fortify report offline with as much info as you have, I will make sure it gets to the Adobe Engineering team immediately. It would also be helpful to understand a little about the application and how it is calling the help to see if this is coloring the result.

I am at john @ johndaigle dot com

Thanks very much for reporting this and we'll keep you posted.

John


John Daigle
Adobe Certified RoboHelp and Captivate Instructor
Evergreen, Colorado
http://www.showmethedemo.com

John DaigleAdobe Certified RoboHelp and Captivate InstructorNewport, Oregon
1
123majorBatesAuthor
Participant
February 25, 2010

I followed your directions and eventually was put in touch with an Adobe engineer, Tulika Garg. She was able to reproduce the problem. However, when she reviewed the code that was triggering the Fortify cross site scripting errors, she came to the conclusion that it was not actually harmful. There are further errors with the .js files that Adobe has a QA engineer trying to reproduce. These are minor errors and not the serious errors I was encountering.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices