2 Replies Latest reply on Feb 25, 2010 11:40 AM by 123majorBates

    Beware - serious breach - cross site scripting errors in RoboHelp 8.0

    123majorBates

      I have compiled a WebHelp project (about 120 topics) in RoboHelp 8.0. The compiled project is then merged with the application. As part of our testing, the application is run through a security testing product called Fortify. This product finds cross site scripting errors whenever a topic is called directly from the application and also when the menu driven help is called. I noticed this was a reported problem with versions 6 and 7 with a patch available to address it. Does this patch work with version 8 also? If not, is a patch available?

       

      Have spoken to level 2 support of Robo and nothing is planned to patch this very serious breach in the near term, so be very careful how you deploy WebHelp. In fact, we are not going to use the product - way too much risk.

        • 1. Re: Beware - serious breach - cross site scripting errors in RoboHelp 8.0
          johndaigle Level 4

          Hi,123majorBates and welcome to the Forums.

           

          Any outstanding security issues with RoboHelp 6 and 7 were taken care of in the development of RoboHelp 8, so it would not be necessary to install those patches.

           

          However, you would also want to install any updates to RoboHelp 8 if you have not already. Though, these were not issued specifically for scripting vulnerabilities per se, make sure you have updates 8.0.1 and 8.0.2 installed. You will find them here:

          http://www.adobe.com/support/robohelp/downloads.html

           

          You didn't mention whether you were using WebHelp Pro with RoboHelp Server 8? In the event you are, there was a security update for RoboHelp Server 8 a couple of months ago. You will find it here on the Adobe Tech Comm blog.
          http://blogs.adobe.com/techcomm/2009/09/security_update_available_for_robohelp_server_8.h tml

           

          Finally, please email me the Fortify report offline with as much info as you have, I will make sure it gets to the Adobe Engineering team immediately. It would also be helpful to understand a little about the application and how it is calling the help to see if this is coloring the result.

          I am at john @ johndaigle dot com

           

          Thanks very much for reporting this and we'll keep you posted.

          John

           


          John Daigle
          Adobe Certified RoboHelp and Captivate Instructor
          Evergreen, Colorado
          http://www.showmethedemo.com

          • 2. Re: Beware - serious breach - cross site scripting errors in RoboHelp 8.0
            123majorBates Level 1

            I followed your directions and eventually was put in touch with an Adobe engineer, Tulika Garg. She was able to reproduce the problem. However, when she reviewed the code that was triggering the Fortify cross site scripting errors, she came to the conclusion that it was not actually harmful. There are further errors with the .js files that Adobe has a QA engineer trying to reproduce. These are minor errors and not the serious errors I was encountering.