Solved

Cross Site Scrpting and ASP.NET

Posted on 2009-06-30
8
526 Views
Last Modified: 2012-05-07
_LASTFOCUS, a default parameter in ASP.NET 2.0, is vulnerable to reflexif cross site scripting (CSS).

One suggested solution was to apply the patch MS06-056/KB922770 on the server. (Downloadable from http://www.microsoft.com/technet/security/Bulletin/MS06-056.mspx.)

Unfortunately, the patch is not getting installed. The below link from microsoft suggested re-installing the framework:
http://support.microsoft.com/kb/923100/

I did, but no luck - the patch would not install!

Any solutions? My main problem is to get rid of CSS - please suggest.
0
Comment
Question by:Jeevan Bordoloi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
8 Comments
 
LVL 3

Expert Comment

by:tpsl
ID: 24745376
http://support.microsoft.com/kb/922770

Did anything on this link help?
0
 
LVL 3

Author Comment

by:Jeevan Bordoloi
ID: 24751417
I tried to install the patch, but couldn't install.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24777926
> .. a default parameter in ASP.NET 2.0,
do you use that parameter? if not simply disable the corresponding script.
0
 
LVL 3

Author Comment

by:Jeevan Bordoloi
ID: 24782707
Yes, we do
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 24782886
then I see following possibilities:
1) wait 'til you get an installable patch
2) fix the code
3) write a wrapper script which checks its input for XSS and forwards to the vulnerable script if the input matches your rules
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question