Symptoms
1. During Security Scanning they have identified the MongoDB NoSQL Injection issue with the Parameter "pattern" in Calendar Ajax Control.
https://ss-jhd-wfsft/Runtime/Runtime/CalendarAJAXCall.ashx
They were able to Inject Value to the Parameter pattern adn they are getting the response back.
2. Microsoft Windows MHTML Cross-Site Scripting
3. Missing Secure Attribute in Encrypted Session (SSL) Cookie
Please find attached doc for more info.
Diagnoses
feedback from our Security expert here in Labs:
The below would be my response to the client:
There are no fixes necessary for K2 to make - Please see below for further detail:
Issue 1 (MongoDB SQL injection):
This is a false positive reported by the security tool used - We do not use any MongoDB NoSQL components and the request being made does not even go to MSSQL - All the request does is take the date value supplied, parse it into a DateTIme object and then convert it to the pattern supplied.
Thus there is no security issue present and nothing for K2 to fix.
Issue 2 (MHTML XSS - all variants):
This is a false positive reported by the security tool used - We do not make use of any MHTML, and even though the attack string is reflected back to the client, it is encapsulated in an error XML structure with a content type set to TEXT which means it would not execute the injected script if opened directly in a browser or through the calendar control - The calendar control also handles the error gracefully.
Tested that all supported browsers do not cause any scripting with the supplied attack strings.
Thus no security issue to be fixed.
Issue 3 (Insecure Cookie):
Although a valid finding, this is something that the client can configure themselves - Please note however that if the client's configuration has both HTTP and HTTPS sites for designer or runtime sites that this configuration can not be done:
1. Runtime and designer site web.config
a. Search for all "requireSSL" attributes and set them to true
b. Add the below to the main node:
2. Forms STS web.config
a. You'll notice there are a couple of nodes in child nodes of the configuration node.
Add a node directly under the configuration node with the following:
3. Windows STS web.config
Not really necessary to add any configuration, but doing the same as the Forms STS config won't hurt.
The path is below:
/Install Dir]:Program Files (x86)K2 blackpearlWebServicesIdentityStsWindows
Resolution
My Last response was:
"
Kindly close the ticket from your respected side All the questions have been answered .
"
My earlier reply was:
"
Please find feedback from our Security expert here in Labs:
The below would be my response to the client:
There are no fixes necessary for K2 to make - Please see below for further detail:
Issue 1 (MongoDB SQL injection):
This is a false positive reported by the security tool used - We do not use any MongoDB NoSQL components and the request being made does not even go to MSSQL - All the request does is take the date value supplied, parse it into a DateTIme object and then convert it to the pattern supplied.
Thus there is no security issue present and nothing for K2 to fix.
Issue 2 (MHTML XSS - all variants):
This is a false positive reported by the security tool used - We do not make use of any MHTML, and even though the attack string is reflected back to the client, it is encapsulated in an error XML structure with a content type set to TEXT which means it would not execute the injected script if opened directly in a browser or through the calendar control - The calendar control also handles the error gracefully.
Tested that all supported browsers do not cause any scripting with the supplied attack strings.
Thus no security issue to be fixed.
Issue 3 (Insecure Cookie):
Although a valid finding, this is something that the client can configure themselves - Please note however that if the client's configuration has both HTTP and HTTPS sites for designer or runtime sites that this configuration can not be done:
1. Runtime and designer site web.config
a. Search for all "requireSSL" attributes and set them to true
b. Add the below to the main node:
2. Forms STS web.config
a. You'll notice there are a couple of nodes in child nodes of the configuration node.
Add a node directly under the configuration node with the following:
3. Windows STS web.config
Not really necessary to add any configuration, but doing the same as the Forms STS config won't hurt.
The path is below:
Install Dir]:Program Files (x86)K2 blackpearlWebServicesIdentityStsWindows
"
