[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

"always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info"

Posted on 2011-09-25
10
Medium Priority
?
409 Views
Last Modified: 2012-06-27
Hello,
I ran a free scan for my website on http://www.hackerguardian.com/. As a result, I got the following:

--------------------------
An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the
page header and execute it for destructive actions
Solution: always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info

-----------------

I already set Content-Type and Charset in the meta tags section of my html as they placed at the top of meta tags. Here is the meta-tag section of my generated html:

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
<meta http-equiv="content-language" content="TR" />
<title></title>
.......


What do I need to do to fix this error?

Elcin
0
Comment
Question by:cuneytyagiz
  • 5
  • 4
10 Comments
 
LVL 9

Expert Comment

by:dexterrajesh
ID: 36597519
hi,

ensure if your declaration is working. refer here: http://www.w3.org/International/O-charset
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36597571
You have two charset declarations.  The second should probably cancel out the first because you can't use two different ones at the same time.  Pick one and delete the other.

<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
0
 

Author Comment

by:cuneytyagiz
ID: 36597970
Hello DaveBaldwin:
I have removed one of the tags and what I have for meta tags section is as follows and the website still fails the PCI test for the same reason.

Elcin
-----------------------------------------


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="content-language" content="TR" />
<title>Hosting - Web Hosting</title>
<meta name="googlebot" content="Index, Follow" />
<meta name="distribution" content="global" />
<meta name="Revisit-After" content="1 Days" />
<meta name="email" content="XXXXXXXXXXxx" />
<meta name="author" content="NwComTr" />
<meta name="publisher" content="XXXXX" />
<meta name="copyright" content="XXXXXX" />
<meta name="rating" content="General" />
<meta name="distribution" content="Global" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires"content="-1"/>
<meta http-equiv="Pragma" content="no-cache" />
<meta name="robots" content="ALL" />
<meta name="Description" content="XXXXXXXXXXXXX" />
<meta name="Keywords" content="XXXXXXXXXXX" />
</head>
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36600313
Looks fine to me.  Do you have any frames or iframes loading other pages that might cause the problem?
0
 

Author Comment

by:cuneytyagiz
ID: 36600335
Hello DaveBaldwin:

I do not use frames or iframes

Elcin
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36600383
I just realized, that scan will scan every page in your site so you have to check every page.  ??
0
 

Author Comment

by:cuneytyagiz
ID: 36707798
Hello DaveBaldwin:
Actually, meta tags are mentioned in the master page and every page uses that master page.

Elcin
0
 

Accepted Solution

by:
cuneytyagiz earned 0 total points
ID: 36707803
Hello,
Since I couldn't find what the problem was with "Charset" & "Content-Type". I decided to filter out the querystring to see if there is any "not-acceptable" info. That worked.

Elcin
0
 

Author Closing Comment

by:cuneytyagiz
ID: 36895931
I had to find a work-around to solve my problem. The resposes I got here didn't help.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36707998
Though that doesn't match the error message, query strings in the URLs should cause an error in PCI scanning because it is something that the users could change.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to write a Context Sensitive Help (an online help that is obtained from a specific point in state of software to provide help with that state) ,  first we need to make the file that contains all topics, which are given exclusive IDs. …
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
In this tutorial viewers will learn how to embed videos in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <video> tag to insert a video. Define the src as the URL of your video; this is similar to …
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

640 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question