?Microsoft ASP.NET Request Filtering Bypass Cross-Site Scripting Vulnerability

  • hi all. i’m sorry if this is something that’s already been covered, but i am a little bit desperate and very much in over my head. i’ve never had this kind of issue before and i’m by no means a developer; in fact, this issue essentially guarantees that i will not be pursuing a future in web design … so here goes.

    i’ve used wordpress for years with nary an issue, until i developed a small , very basic site for my stepsister’s psychology lab. the site is to be hosted on her university’s network enterprise infrastructure blah blah meganetwork, and it has to pass an HP WebInspect security check before they’ll allow it to go live. I’ve had them run the scan twice now, and i keep getting this error:

    Microsoft ASP.NET Request Filtering Bypass Cross-Site Scripting Vulnerability View Description ( 10179 )
    Page: https://stage.plumlab.pitt.edu:80/?searchsubmit=&s=”&gt;`</XSS/*-*/STYLE=xss:e/**/xpression(alert(097531))> Request:
    GET /?searchsubmit=&s=
    “></XSS/*-*/STYLE=xss:e/**/xpression(alert(097531))>`
    HTTP/1.1
    Referer: https://stage.plumlab.pitt.edu:80/privacy.html
    Accept: */*
    Pragma: no-cache
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322)
    Host: stage.plumlab.pitt.edu
    Connection: Keep-Alive
    Cookie:
    CustomCookie=WebInspect68833ZX9B73B854A3C641D7892DCBE1AB306622YE74B;wordpres
    s_test_cookie=WP+Cookie+check
    Response:
    HTTP/1.1
    200
    OK
    ????Content-Type: text/html; charset=UTF-8
    Server: Microsoft-IIS/7.5
    ??X-Powered-By: PHP/5.2.11
    ?X-Pingback: https://stage.plumlab.pitt.edu/xmlrpc.php
    ?X-Powered-By: ASP.NET
    ?Date: Fri, 28 Oct 2011 04:33:48 GMT
    Content-Length: 16198
    ??…TRUNCATED…
    ?`<h2 class=’firstheading’>Search results
    for: \
    “></XSS/*-*/STYLE=xss:e/**/xpression(alert(097531))>
    </h2>
    ??? <div class=”entry entry-content” id…TRUNCATED…`

    ————

    i don’t even know what this means, let alone how to go about fixing it. i’m not an idiot, i’m just (quite honestly) not interested in dealing with this issue any more. it’s been months and months since i finished creating the site, and i need to get it up and running. i’d be happy to even hire someone to help me out of this, at this point. please just let me know if you can help…. happy thanksgiving! ??

  • The topic ‘?Microsoft ASP.NET Request Filtering Bypass Cross-Site Scripting Vulnerability’ is closed to new replies.

Tags