Cross Site Scripting Vulnerability

Question

I am using RoboHelp 11.0.4.291 to generate Responsive HTML5 help for web applications.

The web designers in my company have reported the following security vulnerabilities. Is there a fix?

1/ Cross Site Scripting Vulnerability via DOM Redirection
=========================================================

File: loadcsh.js
Function: redirectToTopic
Line Number: 117 (target.contentWindow.location.replace(gTopicURL);)

The mechanism RoboHelp is using to display the (context sensitive) help file is not secure because the passed in URL is

not being sanitised, therefore it's trivial for an attacker to trick the user into executing code by clicking on a link

e.g.

http://PATH_TO_ROBOHELP_DEFAULT_FILE.htm#t=javascript:alert(0)

The above URL will cause a pop-up in Internet Explorer, Chrome, Firefox and Opera (Safari is untested). This is a

definite issue that needs fixing by Adobe as illustrated by the following URL which prompts the user for their

credentials and sends the details to the attacker:

http://PATH_TO_ROBOHELP_DEFAULT_FILE.htm#t=data:text/html;charset=utf-

8;base64,PHNjcmlwdD5mdW5jdGlvbiBsb2dpbigpe3ZhciB1biA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCd1bicpLnZhbHVlO3ZhciBwdyA9IGRvY3V

tZW50LmdldEVsZW1lbnRCeUlkKCdwdycpLnZhbHVlO2FsZXJ0KCdZb3VcJ3ZlIGp1c3QgYmVlbiBoYWNrZWQhIFt1c2VybmFtZTonICt1bisgJywgcGFzc3d

vcmQ6JyArcHcrICddJyk7fWRvY3VtZW50LmRvY3VtZW50RWxlbWVudC5pbm5lckhUTUwrPSc8ZGl2IHN0eWxlPSJmb250OiAxNHB4IEFyaWFsOyI

+UGxlYXNlIExvZ2luPHA

+VXNlcm5hbWU6PGlucHV0IHR5cGU9InRleHQiIGlkPSJ1biIgbmFtZT0idXNlcm5hbWUiPjwvcD48cD5QYXNzd29yZDo8aW5wdXQgaWQ9InB3IiB0eXBlPSJ

wYXNzd29yZCIgbmFtZT0icGFzc3dvcmQiPjwvcD48YnV0dG9uIHR5cGU9ImJ1dHRvbiIgb25jbGljaz0ibG9naW4oKSI

+U3VibWl0PC9idXR0b24+PC9kaXY+Jztkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgndW4nKS5mb2N1cygpOzwvc2NyaXB0Pg==

2/ Potential Cross Site Scripting Vulnerability
===============================================

File: settings.js
Function: insertIFrame
Line Number: 188 (gIFrameElem.setAttribute("src", gHostPath+COOKIESPAGE);)

At first glance this doesn't appear to be an issue as the href property of the location object is being parsed and split

apart before being set as the src attribute for the iframe. However, it may be possible craft a URL that fools the

user-agent into passing a malicious payload through to this function. This is something that Adobe should investigate

and confirm that the necessary precautions have been taken.

3/ Potential DOM Data & Cookie Manipulation Vulnerability
=========================================================

File: settings.js
Function: setThroughIFrame
Line Number: 202 (var objSave = new cookieSaveRequesObj(SAVE_REQ, name, value, bPersistent);)

I don't think this is an issue as the "value" property its referring to isn't a DOM Element it's a JavaScript object

(cookieSaveRequesObj). However, what might be an issue is whether that value is read back out and written to the DOM. It

may also be possible to craft a URL that exploits the setting/getting of the cookie. Again this is something that Adobe

should investigate and confirm that the necessary precautions have been taken.

4/ Preventing these exploits
============================

The above exploits could be mitigated by only allowing a white-list of URLs to be set (at build time RoboHelp knows all

of the URLS used so there is no need for it to allow any others) and sanitising the URL e.g. only allow schemes http: or

https: (not javascript:, data: etc).

Lars Wilhelmer · Answer

Wow, #1 is a major issue, Adobe should fix this asap. I would not recommend anyone to upload RH HTML5 help content to a live server before this is fixed.Thanks for sharing, Andrew.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded