Earlier this week a developer who was running a Burp security scan on our site sent me a report which showed the following:
The application may be vulnerable to path-relative style sheet import (PRSSI) attacks. The response contains a path-relative style sheet import, and so condition 1 for an exploitable vulnerability is present (see issue background). The response can also be made to render in a browser's quirks mode. The page does not contain a doctype directive, and so it will always be rendered in quirks mode. This means that condition 3 for an exploitable vulnerability is probably present if condition 2 is present.
Burp was not able to confirm that the other conditions hold, and you should manually investigate this issue to confirm whether they do hold.
with the following two lines (in every single topic's HTML page) highlighted as the issue:
<link rel="stylesheet" href="SourceDocument.css" type="text/css" />
<link rel="stylesheet" href="../default.css" type="text/css" />
The developer asked if I could see if there is an option to use absolute path links to the CSS files instead of relative paths. However, everything I've read about Robohelp recently says that doesn't seem to be a possibility.
So for the last few days I've been searching and trying different settings/options and I'm currently having the developer run another Burp scan to see if it helps at all. Changes I made that are being tested:
From what I can tell in browsing around the online help after making these changes everything looks good without the default.css file & references.
But I'm concerned the new Burp scan is going to still be upset that the topic HTML pages are referencing the "href=SourceDocument.css" file in the current folder (instead of an absolute path).
So, two questions:
I am just learning about relative & absolute paths. We have several user manuals with the source documents ranging from 50-500 pages which are updated regularly. So I am trying to avoid manual processes as much as possible.
Any help would be appreciated.
I don’t believe there’s any way to set an absolute path in your HTML pages because RH doesn’t know where its output is going to end up. I suspect that you’d have to employ a find & replace tool to strip out the vulnerabilities. First, you should alert Adobe about this potential issue (use the Bugbase reporting tool on the RH main page) & second, don’t expect to see any fix for your RH9 – it’s too far out of date for patches from the RH team.
To add to Jeff's response, every so often we see posts along the lines of yours where someone has used a security tool and it has reported some vulnerability. What I have never seen is anyone report that they or a client has suffered any successful attack using the vulnerability. That doesn't mean it hasn't happened but it does cast doubt on how real the threat is.
I am having an extension added to my house. The building control inspector has indicated that regs now require a clip to be fitted to the ridge tiles to make them extra secure. My builder has been in the trade for 50 years has never had one of his ridge tiles blown off when they have just been bedded with mortar.
Theoretical risk or real risk?
I cannot say you should ignore the warning but it might be worth a face to face chat with the developer to ask just how concerned he or she is. Ultimately it is your risk and your call. Hope those thoughts help.
See www.grainge.org for RoboHelp and Authoring tips