cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

webhelp vulnerable during XSS cross site scripting audit. Reason - document.location.href

Sunilnair55555
New Here ,
Mar 08, 2012 Mar 08, 2012

Copy link to clipboard

Copied

Online help created by team is going through a security vulnerability check now. It has been found that after integration of webhelp with the application,document.location.href  is a vulnerable point as per XSS cross site scripting. Please your thoughts and any methods you have that can contain this situation. Its urgent, please help.

Views

2.5K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Jeff_Coatsworth Community Expert
Community Expert , Mar 28, 2012 Mar 28, 2012

You can update your copy through Help > Updates or from the web page: http://www.adobe.com/downloads/updates/

Votes

Translate

Translate
replies 14 Replies 14
latest latest Jump to latest reply
RoboColum_n_
LEGEND ,
Mar 09, 2012 Mar 09, 2012

Copy link to clipboard

Copied

Can you start by telling us what version of RoboHelp you are using. There are some security patches available on the Adobe KB but without knowing your RH version I can't advise any further.

BTW please do not cross post. It helps no one. You may want to read the helpful tips before posting again. You can find them at http://forums.adobe.com/thread/467760?tstart=0


  @robocolumn
  The RoboColum(n)
  Colum McAndrew

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Sunilnair55555
New Here ,
Mar 09, 2012 Mar 09, 2012

Copy link to clipboard

Copied

In Response To RoboColum_n_

Hi RoboColum(n),

New to this forum so ddnt know much about the rules...apologize for that to start with. I am using robohelp 9, and also tried a patch

Vulnerability identifier: APSB07-10

CVE number: CVE-2007-1280

however it ddnt work for us. Please advise, as we cannot proceed with our product release without clearing this audit. thanks in advance for your time and patience.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Sunilnair55555
New Here ,
Mar 09, 2012 Mar 09, 2012

Copy link to clipboard

Copied

In Response To Sunilnair55555

the version is 9.0.1.262

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
RoboColum_n_
LEGEND ,
Mar 09, 2012 Mar 09, 2012

Copy link to clipboard

Copied

In Response To Sunilnair55555

No problem Sunil.

There is a RH9 patch available at http://www.adobe.com/support/security/bulletins/apsb11-23.html which you install. If you still get security issues after this I think you'll be on your own with Adobe. This is the only security issue they are aware of as far as I know.


  @robocolumn
  The RoboColum(n)
  Colum McAndrew

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Sunilnair55555
New Here ,
Mar 09, 2012 Mar 09, 2012

Copy link to clipboard

Copied

In Response To RoboColum_n_

Thanks RoboColum(n). Will try that patch and write back.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Peter Grainge Community Expert
Community Expert ,
Mar 09, 2012 Mar 09, 2012

Copy link to clipboard

Copied

In Response To Sunilnair55555

Isn't this about why Chrome will not run locally with a tripane window? If it is the same thing, keep in mind that Chrome (and maybe Opera?) are the only browsers to block that when run locally.

See www.grainge.org for RoboHelp and Authoring tips

@petergrainge

Help others by clicking Correct Answer if the question is answered. Found the answer elsewhere? Share it here. "Upvote" is for useful posts.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Sunilnair55555
New Here ,
Mar 09, 2012 Mar 09, 2012

Copy link to clipboard

Copied

In Response To Peter Grainge

Hello Sir,

We have been creating context sensitive webhelp for a payment domain product that has to go thorugh PA DSS certification. While doing audit for certification this vulnerablity of cross site scripting by document.location.href was visible. The output opens in a separate window though application mostly in IE. have tried the latest security patch APSB-11-23 available on adobe forum, however it didnot work for us.

The version used by us is 9.0.1.262. The patch says

AFFECTED SOFTWARE VERSIONS

RoboHelp 9 (versions 9.0.1.232 and earlier), RoboHelp 8, RoboHelp Server 9 and RoboHelp Server 8 for Windows

Note: Customers using RoboHelp 9 version 9.0.1.262 are not vulnerable to this issue.

However this issue persists in this version too. Please advise. Thanks in advance for your time, effort and patience.


Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Jeff_Coatsworth Community Expert
Community Expert ,
Mar 09, 2012 Mar 09, 2012

Copy link to clipboard

Copied

In Response To Sunilnair55555

You need to contact RH Technical Support and outline why you think the vulnerability still exists in your point version.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Sunilnair55555
New Here ,
Mar 09, 2012 Mar 09, 2012

Copy link to clipboard

Copied

In Response To RoboColum_n_

Hi RoboColum(n)

We applied the suggested patch and generated webhelp. The issue of document.location.href still persists. Thanks .

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Sunilnair55555
New Here ,
Mar 27, 2012 Mar 27, 2012

Copy link to clipboard

Copied

Have tried compiling webhelp with Robohelp 9.0.1.2.3.2 ( older version) with patch available. Is there any way i can test the vulnerablity internally before sharing helpfiles for audit.? Please suggest any VAPT testing tool names that can detect XSS vulnerablity. Thanks..

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Jeff_Coatsworth Community Expert
Community Expert ,
Mar 27, 2012 Mar 27, 2012

Copy link to clipboard

Copied

In Response To Sunilnair55555

Latest patch level takes you to 9.0.2.271 AFAIK - try that. There's no tester within RH; I'd try googling to see if something exists out there. Didn't your auditors give you something to use?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Sunilnair55555
New Here ,
Mar 27, 2012 Mar 27, 2012

Copy link to clipboard

Copied

In Response To Jeff_Coatsworth

Hi Jeff,

thanks for the suggestion, have used a VAPT tool to identify vulberablity. also the latest patch you mentioned, it is not available on adobe security bulletin link http://www.adobe.com/support/security/bulletins/apsb12-04.html. is it available some other link? if yes kindly share...thanks in advance.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Jeff_Coatsworth Community Expert
Community Expert ,
Mar 28, 2012 Mar 28, 2012

Copy link to clipboard

Copied

In Response To Sunilnair55555

You can update your copy through Help > Updates or from the web page: http://www.adobe.com/downloads/updates/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Sunilnair55555
New Here ,
Mar 28, 2012 Mar 28, 2012

Copy link to clipboard

Copied

LATEST
In Response To Jeff_Coatsworth

Thanks Jeff...life saver !

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
RoboHelp Documentation
RoboHelp User Guide
Download Adobe RoboHelp
Download for all available Updates
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices