[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

"always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info"

Posted on 2011-09-25
10
Medium Priority
?
407 Views
Last Modified: 2012-06-27
Hello,
I ran a free scan for my website on http://www.hackerguardian.com/. As a result, I got the following:

--------------------------
An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the
page header and execute it for destructive actions
Solution: always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info

-----------------

I already set Content-Type and Charset in the meta tags section of my html as they placed at the top of meta tags. Here is the meta-tag section of my generated html:

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
<meta http-equiv="content-language" content="TR" />
<title></title>
.......


What do I need to do to fix this error?

Elcin
0
Comment
Question by:cuneytyagiz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 9

Expert Comment

by:dexterrajesh
ID: 36597519
hi,

ensure if your declaration is working. refer here: http://www.w3.org/International/O-charset
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36597571
You have two charset declarations.  The second should probably cancel out the first because you can't use two different ones at the same time.  Pick one and delete the other.

<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
0
 

Author Comment

by:cuneytyagiz
ID: 36597970
Hello DaveBaldwin:
I have removed one of the tags and what I have for meta tags section is as follows and the website still fails the PCI test for the same reason.

Elcin
-----------------------------------------


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
<meta http-equiv="content-language" content="TR" />
<title>Hosting - Web Hosting</title>
<meta name="googlebot" content="Index, Follow" />
<meta name="distribution" content="global" />
<meta name="Revisit-After" content="1 Days" />
<meta name="email" content="XXXXXXXXXXxx" />
<meta name="author" content="NwComTr" />
<meta name="publisher" content="XXXXX" />
<meta name="copyright" content="XXXXXX" />
<meta name="rating" content="General" />
<meta name="distribution" content="Global" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires"content="-1"/>
<meta http-equiv="Pragma" content="no-cache" />
<meta name="robots" content="ALL" />
<meta name="Description" content="XXXXXXXXXXXXX" />
<meta name="Keywords" content="XXXXXXXXXXX" />
</head>
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36600313
Looks fine to me.  Do you have any frames or iframes loading other pages that might cause the problem?
0
 

Author Comment

by:cuneytyagiz
ID: 36600335
Hello DaveBaldwin:

I do not use frames or iframes

Elcin
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36600383
I just realized, that scan will scan every page in your site so you have to check every page.  ??
0
 

Author Comment

by:cuneytyagiz
ID: 36707798
Hello DaveBaldwin:
Actually, meta tags are mentioned in the master page and every page uses that master page.

Elcin
0
 

Accepted Solution

by:
cuneytyagiz earned 0 total points
ID: 36707803
Hello,
Since I couldn't find what the problem was with "Charset" & "Content-Type". I decided to filter out the querystring to see if there is any "not-acceptable" info. That worked.

Elcin
0
 

Author Closing Comment

by:cuneytyagiz
ID: 36895931
I had to find a work-around to solve my problem. The resposes I got here didn't help.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36707998
Though that doesn't match the error message, query strings in the URLs should cause an error in PCI scanning because it is something that the users could change.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
In this tutorial viewers will learn how to embed an audio file in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: : The declaration should display (CODE) HTML5 is supported by the most recent versions of all major browsers…
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question