1 Reply Latest reply on Feb 23, 2012 7:24 PM by Praful_Jain

    RoboHelp 9 - Enabling the cookie secure flag

    chrispeco

      Hello All - Have a question about RoboHelp 9 and a security vulnerability.  We discovered a vulnerability in the webhelp output we produce so I am starting here.  The site requires authentication and then passes it into the page, so we believe that RoboHelp uses frames within its framework. The use of frames in authenticated sites is not recommended and as mentioned is a security vulnerability.

      The new version fixes the cross-site scripting vulnerability involving the query string (example.paychex.com/path?XSS) but introduces an equivalent vulnerability with the URL hash tag (example.site.com/path#XSS). Normally, anything after the hash tag is considered a “fragment identifier”, which is a reference to some position in the document. Seems the vulnerability is due to the enabling cookie secure flag.

       

      Has anyone heard of this?

      Thanks.
      Chris

        • 1. Re: RoboHelp 9 - Enabling the cookie secure flag
          Praful_Jain Level 3

          hi Chris,

           

          Adobe RoboHelp team is looking into issue, and will keep the user forum updated of the progress. In the mean time, can you please provide the following information

          • Webserver configuration where the help output is published
          • Authentication mechanism used by the webserver.
          • Sample URL which contains XSS which on click shows some alert message or other vulnerability.

           

          Thanks

          Praful Jain

          Adobe RoboHelp Team