Solved

"always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info"

Posted on 2011-09-25
10
398 Views
Last Modified: 2012-06-27
Hello,
I ran a free scan for my website on http://www.hackerguardian.com/. As a result, I got the following:

--------------------------
An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the
page header and execute it for destructive actions
Solution: always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info

-----------------

I already set Content-Type and Charset in the meta tags section of my html as they placed at the top of meta tags. Here is the meta-tag section of my generated html:

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
<meta http-equiv="content-language" content="TR" />
<title></title>
.......


What do I need to do to fix this error?

Elcin
0
Comment
Question by:cuneytyagiz
  • 5
  • 4
10 Comments
 
LVL 9

Expert Comment

by:dexterrajesh
ID: 36597519
hi,

ensure if your declaration is working. refer here: http://www.w3.org/International/O-charset
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36597571
You have two charset declarations.  The second should probably cancel out the first because you can't use two different ones at the same time.  Pick one and delete the other.

<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
0
 

Author Comment

by:cuneytyagiz
ID: 36597970
Hello DaveBaldwin:
I have removed one of the tags and what I have for meta tags section is as follows and the website still fails the PCI test for the same reason.

Elcin
-----------------------------------------


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="content-language" content="TR" />
<title>Hosting - Web Hosting</title>
<meta name="googlebot" content="Index, Follow" />
<meta name="distribution" content="global" />
<meta name="Revisit-After" content="1 Days" />
<meta name="email" content="XXXXXXXXXXxx" />
<meta name="author" content="NwComTr" />
<meta name="publisher" content="XXXXX" />
<meta name="copyright" content="XXXXXX" />
<meta name="rating" content="General" />
<meta name="distribution" content="Global" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires"content="-1"/>
<meta http-equiv="Pragma" content="no-cache" />
<meta name="robots" content="ALL" />
<meta name="Description" content="XXXXXXXXXXXXX" />
<meta name="Keywords" content="XXXXXXXXXXX" />
</head>
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36600313
Looks fine to me.  Do you have any frames or iframes loading other pages that might cause the problem?
0
 

Author Comment

by:cuneytyagiz
ID: 36600335
Hello DaveBaldwin:

I do not use frames or iframes

Elcin
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36600383
I just realized, that scan will scan every page in your site so you have to check every page.  ??
0
 

Author Comment

by:cuneytyagiz
ID: 36707798
Hello DaveBaldwin:
Actually, meta tags are mentioned in the master page and every page uses that master page.

Elcin
0
 

Accepted Solution

by:
cuneytyagiz earned 0 total points
ID: 36707803
Hello,
Since I couldn't find what the problem was with "Charset" & "Content-Type". I decided to filter out the querystring to see if there is any "not-acceptable" info. That worked.

Elcin
0
 

Author Closing Comment

by:cuneytyagiz
ID: 36895931
I had to find a work-around to solve my problem. The resposes I got here didn't help.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36707998
Though that doesn't match the error message, query strings in the URLs should cause an error in PCI scanning because it is something that the users could change.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Building a website can seem like a daunting task to the uninitiated but it really only requires knowledge of two basic languages: HTML and CSS.
This article discusses how to create an extensible mechanism for linked drop downs.
In this tutorial viewers will learn how to embed Flash content in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <object> tag to embed Flash content.: To specify that the object is Flash content, d…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now