?
Solved

"always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info"

Posted on 2011-09-25
10
Medium Priority
?
405 Views
Last Modified: 2012-06-27
Hello,
I ran a free scan for my website on http://www.hackerguardian.com/. As a result, I got the following:

--------------------------
An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the
page header and execute it for destructive actions
Solution: always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info

-----------------

I already set Content-Type and Charset in the meta tags section of my html as they placed at the top of meta tags. Here is the meta-tag section of my generated html:

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
<meta http-equiv="content-language" content="TR" />
<title></title>
.......


What do I need to do to fix this error?

Elcin
0
Comment
Question by:cuneytyagiz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 9

Expert Comment

by:dexterrajesh
ID: 36597519
hi,

ensure if your declaration is working. refer here: http://www.w3.org/International/O-charset
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36597571
You have two charset declarations.  The second should probably cancel out the first because you can't use two different ones at the same time.  Pick one and delete the other.

<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
0
 

Author Comment

by:cuneytyagiz
ID: 36597970
Hello DaveBaldwin:
I have removed one of the tags and what I have for meta tags section is as follows and the website still fails the PCI test for the same reason.

Elcin
-----------------------------------------


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="content-language" content="TR" />
<title>Hosting - Web Hosting</title>
<meta name="googlebot" content="Index, Follow" />
<meta name="distribution" content="global" />
<meta name="Revisit-After" content="1 Days" />
<meta name="email" content="XXXXXXXXXXxx" />
<meta name="author" content="NwComTr" />
<meta name="publisher" content="XXXXX" />
<meta name="copyright" content="XXXXXX" />
<meta name="rating" content="General" />
<meta name="distribution" content="Global" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires"content="-1"/>
<meta http-equiv="Pragma" content="no-cache" />
<meta name="robots" content="ALL" />
<meta name="Description" content="XXXXXXXXXXXXX" />
<meta name="Keywords" content="XXXXXXXXXXX" />
</head>
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36600313
Looks fine to me.  Do you have any frames or iframes loading other pages that might cause the problem?
0
 

Author Comment

by:cuneytyagiz
ID: 36600335
Hello DaveBaldwin:

I do not use frames or iframes

Elcin
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36600383
I just realized, that scan will scan every page in your site so you have to check every page.  ??
0
 

Author Comment

by:cuneytyagiz
ID: 36707798
Hello DaveBaldwin:
Actually, meta tags are mentioned in the master page and every page uses that master page.

Elcin
0
 

Accepted Solution

by:
cuneytyagiz earned 0 total points
ID: 36707803
Hello,
Since I couldn't find what the problem was with "Charset" & "Content-Type". I decided to filter out the querystring to see if there is any "not-acceptable" info. That worked.

Elcin
0
 

Author Closing Comment

by:cuneytyagiz
ID: 36895931
I had to find a work-around to solve my problem. The resposes I got here didn't help.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36707998
Though that doesn't match the error message, query strings in the URLs should cause an error in PCI scanning because it is something that the users could change.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Originally, this post was published on Monitis Blog, you can check it here . Websites are getting bigger and more complicated by the day. Video, images and custom fonts are all great for showcasing your product or service. But the price to pay in…
In this tutorial viewers will learn how to style elements, such a divs, with a "drop shadow" effect using the CSS box-shadow property Start with a normal styled element, such as a div.: In the element's style, type the box shadow property: "box-shad…
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question