RE: Advanced Edition calendar.asp calendarID XSS (Samuel)

Wed, 18 Oct 2006 15:11:05 GMT

a patch has been released to improve the exception handling in this file, and thereby all possibilities of XSS exploit has also been removed.

Thanks again for the post.

RE: Advanced Edition calendar.asp calendarID XSS (Samuel)

Wed, 18 Oct 2006 12:23:36 GMT

I am going to investigate this issue. At this moment I would say that the software does not respond to an invalid calendar ID. You can try on the demo forum

http://www.aspplayground.net/dem2/calendar.asp?calendarID=

You can specify the calendarID value. The software can only take the following formats for the calendarID value otherwise it just throws and exception (simply stops processing the page in response to this type of intentional attack):

numeric value
string value of the following 3 specific string: a, b, or u

If you try to put a non-numeric value, like 1b, as the calendarID, the software throws an exception. The exception looks like a SQL exception which looks like the software sends some value to the SQL server, but in fact, only an empty string was sent to the SQL server (just verified it) and therefore we get the "syntax error" error message. We process the calendarID value carefully and do not form any SQL string if the calendarID value is incorrect.

At this point, I wouldn't just say the concern is not valid. I will take a deeper look into this issue and will do the following

the software don't throw exception like this one, leaving false impression that something on the SQL server end is very wrong.
see if there is indeed risk of XSS exploit.

I will report back very soon.

Thanks for your concern and the link to the security issue.

Advanced Edition calendar.asp calendarID XSS (Guest)

Wed, 18 Oct 2006 06:16:24 GMT

We are about to purchase and install the Advanced Edition. We came acroos the flaw warning and would like to know if it has been addressed or even if it is a valid concern?

http://www.osvdb.org/29232

Thanks in advance