Beware - serious breach - cross site scripting errors in RoboHelp 8.0

Report · Jan 28, 2010

I have compiled a WebHelp project (about 120 topics) in RoboHelp 8.0. The compiled project is then merged with the application. As part of our testing, the application is run through a security testing product called Fortify. This product finds cross site scripting errors whenever a topic is called directly from the application and also when the menu driven help is called. I noticed this was a reported problem with versions 6 and 7 with a patch available to address it. Does this patch work with version 8 also? If not, is a patch available?

Have spoken to level 2 support of Robo and nothing is planned to patch this very serious breach in the near term, so be very careful how you deploy WebHelp. In fact, we are not going to use the product - way too much risk.

Report · Feb 16, 2010

Hi,123majorBates and welcome to the Forums.

Any outstanding security issues with RoboHelp 6 and 7 were taken care of in the development of RoboHelp 8, so it would not be necessary to install those patches.

However, you would also want to install any updates to RoboHelp 8 if you have not already. Though, these were not issued specifically for scripting vulnerabilities per se, make sure you have updates 8.0.1 and 8.0.2 installed. You will find them here:

http://www.adobe.com/support/robohelp/downloads.html

You didn't mention whether you were using WebHelp Pro with RoboHelp Server 8? In the event you are, there was a security update for RoboHelp Server 8 a couple of months ago. You will find it here on the Adobe Tech Comm blog.
http://blogs.adobe.com/techcomm/2009/09/security_update_available_for_robohelp_server_8.html

Finally, please email me the Fortify report offline with as much info as you have, I will make sure it gets to the Adobe Engineering team immediately. It would also be helpful to understand a little about the application and how it is calling the help to see if this is coloring the result.

I am at john @ johndaigle dot com

Thanks very much for reporting this and we'll keep you posted.

John

John Daigle
Adobe Certified RoboHelp and Captivate Instructor
Evergreen, Colorado
http://www.showmethedemo.com

John Daigle
Adobe Certified RoboHelp and Captivate Instructor
Newport, Oregon

Report · Feb 25, 2010

I followed your directions and eventually was put in touch with an Adobe engineer, Tulika Garg. She was able to reproduce the problem. However, when she reviewed the code that was triggering the Fortify cross site scripting errors, she came to the conclusion that it was not actually harmful. There are further errors with the .js files that Adobe has a QA engineer trying to reproduce. These are minor errors and not the serious errors I was encountering.

Adobe Community

Beware - serious breach - cross site scripting errors in RoboHelp 8.0