(Originally reported by fdevedrines)
The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b05b\'%3balert(1)//508e8ca2e0a was submitted in the _TSM_HiddenField_ parameter. This input was echoed as 6b05b\\';alert(1)//508e8ca2e0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The mitigation is two fold:
1) Encapsulate the request parameter in double quotation marks
2) Validate the request parameter and trim any potential malicious data
fdevedrines wrote Mar 1 at 1:40 PM
The patch is available at http://ajax.codeplex.com/Project/Download/FileDownload.aspx?DownloadId=108879
Comments: Could someone please let me know whether the reported issue be resolved?
The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b05b\'%3balert(1)//508e8ca2e0a was submitted in the _TSM_HiddenField_ parameter. This input was echoed as 6b05b\\';alert(1)//508e8ca2e0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The mitigation is two fold:
1) Encapsulate the request parameter in double quotation marks
2) Validate the request parameter and trim any potential malicious data
fdevedrines wrote Mar 1 at 1:40 PM
The patch is available at http://ajax.codeplex.com/Project/Download/FileDownload.aspx?DownloadId=108879
Comments: Could someone please let me know whether the reported issue be resolved?