[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 408
  • Last Modified:

"always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info"

Hello,
I ran a free scan for my website on http://www.hackerguardian.com/. As a result, I got the following:

--------------------------
An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the
page header and execute it for destructive actions
Solution: always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info

-----------------

I already set Content-Type and Charset in the meta tags section of my html as they placed at the top of meta tags. Here is the meta-tag section of my generated html:

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
<meta http-equiv="content-language" content="TR" />
<title></title>
.......


What do I need to do to fix this error?

Elcin
0
cuneytyagiz
Asked:
cuneytyagiz
  • 5
  • 4
1 Solution
 
dexterrajeshCommented:
hi,

ensure if your declaration is working. refer here: http://www.w3.org/International/O-charset
0
 
Dave BaldwinFixer of ProblemsCommented:
You have two charset declarations.  The second should probably cancel out the first because you can't use two different ones at the same time.  Pick one and delete the other.

<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
0
 
cuneytyagizAuthor Commented:
Hello DaveBaldwin:
I have removed one of the tags and what I have for meta tags section is as follows and the website still fails the PCI test for the same reason.

Elcin
-----------------------------------------


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="content-language" content="TR" />
<title>Hosting - Web Hosting</title>
<meta name="googlebot" content="Index, Follow" />
<meta name="distribution" content="global" />
<meta name="Revisit-After" content="1 Days" />
<meta name="email" content="XXXXXXXXXXxx" />
<meta name="author" content="NwComTr" />
<meta name="publisher" content="XXXXX" />
<meta name="copyright" content="XXXXXX" />
<meta name="rating" content="General" />
<meta name="distribution" content="Global" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires"content="-1"/>
<meta http-equiv="Pragma" content="no-cache" />
<meta name="robots" content="ALL" />
<meta name="Description" content="XXXXXXXXXXXXX" />
<meta name="Keywords" content="XXXXXXXXXXX" />
</head>
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
Dave BaldwinFixer of ProblemsCommented:
Looks fine to me.  Do you have any frames or iframes loading other pages that might cause the problem?
0
 
cuneytyagizAuthor Commented:
Hello DaveBaldwin:

I do not use frames or iframes

Elcin
0
 
Dave BaldwinFixer of ProblemsCommented:
I just realized, that scan will scan every page in your site so you have to check every page.  ??
0
 
cuneytyagizAuthor Commented:
Hello DaveBaldwin:
Actually, meta tags are mentioned in the master page and every page uses that master page.

Elcin
0
 
cuneytyagizAuthor Commented:
Hello,
Since I couldn't find what the problem was with "Charset" & "Content-Type". I decided to filter out the querystring to see if there is any "not-acceptable" info. That worked.

Elcin
0
 
cuneytyagizAuthor Commented:
I had to find a work-around to solve my problem. The resposes I got here didn't help.
0
 
Dave BaldwinFixer of ProblemsCommented:
Though that doesn't match the error message, query strings in the URLs should cause an error in PCI scanning because it is something that the users could change.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now