Security Updates for X-JavaScripts

Improved JavaScript cross site security to check pre-post domains, and to work with the CGI security updates. Many more changes are still required to help perform all checks, like for secure.netsolhost.com/www.kitchenpages.com, etc…

FILE scheme users will get a “UN-AUTHORISED TECHNOLOGY” message for a few days. Another update to KitCADi3 will allow FILE scheme users to process post forms at a later date (not today – but soon, less than 10 days?)

Other changes to all POST FORMS have fixed errors of missing Object item KPD files.

🙂

This entry was posted on Sunday, November 4th, 2007 at 4:08 am and is filed under Bugs and Requests, Bugs and Requests, KitCAD i3, Library Systems. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

3 Responses to “Security Updates for X-JavaScripts”

  1. Admin Says:
    November 4th, 2007 at 5:29 pm

    Added kitcadi3_authorise.cgi to create an allowed domains list in javascript. kitcadi3_authorise.conf controls allowed domains.
    Added an example of _authorise.htm which shows information returned as script

    **WARNING: the _authorise.htm example page is AUTHORISED and will allow cross scripting exploits (the page is AUTHORISED and so can read data from other domains – not good – no example exploits provided)

  2. Admin Says:
    November 12th, 2007 at 8:12 pm

    Corrected support for SSL – changes made to script src URI links to use “../../cgi-bin/kitcadi3_authorise.cgi”

    Test with SSL link

    **WARNING: the _authorise.htm example page is AUTHORISED and will allow cross scripting exploits (the page is AUTHORISED and so can read data from other domains – not good – no example exploits provided)

  3. Admin Says:
    November 12th, 2007 at 8:34 pm

    WARNING NOTICE, and INFO: the _authorise.htm as listed below is an example page that is AUTHORISED and will allow cross scripting exploits (the page is AUTHORISED and so can read data from other domains – not good – no example exploits provided).

    The default kitcadi3_authorise.conf settings to disable cross scripting security is:
    /Index.html
    /_Index.html
    /_Index.xhtml
    /_authorise.htm

    The kitcadi3_authorise.conf settings SHOULD NOT be extended to include:
    /_i3user.htm
    /_i3file.htm
    /svg10/_i3_svg.htm
    /vml10/_i3_vml.htm
    /vrml97/_i3_vrml.htm
    /vrml97/_i3_x3dv.htm
    /quote/_i3_est.htm
    /pdf11/_i3_pdf.htm
    /ahc10/_i3_ahc.htm
    /wpfe10/_i3_wpfe.htm
    /hmf14/_i3_hmf.htm
    /kp227/_i3_kp2.htm

    SETTING A URI IN kitcadi3_authorise.conf WILL OVER-RIDE SECURITY DEFAULT OF 1&&x TO 0&&x. EG: 1&&1 and 1&&0 to become 0&&1 and 0&&0 (allow cross scripting exploits – bad!).

    The Example below only tests for 1&&1 to show disabled message:
    try{ if (authorised == “0” && self.opener.parent.codebar.document.domain.toLowerCase() != document.domain.toLowerCase()){document.formp.data.value = “POST BY UN-AUTHORISED DOMAIN”; } }catch(e){ if (authorised == “0” && document.location.protocol.toLowerCase() != “file:”){ document.formp.data.value = “UN-AUTHORISED TECHNOLOGY”; } }