We have an application which uses Infragistics controls. we have been using Infragistics dll's version 11.1 in our application. Version 11.1.20111.2064Our Application is running on ASP.NET framework 3.5
we have scanned our application for vulnerabilities and found out that couple of the Infragistics javascript function were pointed out to have cross-site scripting vulnerabilities.
below mentioned are few of them .
ig_webtree.js
function igtree_tree(treeId, _treeElement,treeProps)
ig_spellcheckerdialog.js
function ig_CreateWebSpellCheckerDialog(props)
ig_shared.js
So , what would be the approach that needs to taken now. Do we have latest version of dll's which have these Issues addressed ??
Please Advice !!
Hello Bhargav,
Please note that a number of the mentioned scripts are used by controls which have been retired since 11.1 and are no longer maintained. A detailed list of the retired controls and their respective replacements may be found at:
http://www.infragistics.com/community/blogs/taz_abdeali/archive/2011/11/17/asp-net-product-changes-in-2011-volume-2.aspx
Also, please note that CLR 3.5 is not supported for versions after 12.2:
http://www.infragistics.com/support/supported-environments
For any of the non-retired controls, in order to investigate any possible cross-site scripting vulnerabilities, I would need working samples with the precise steps to reproduce the issue.
Please do not hesitate to contact me if you need more information.
Hi Petar,
Thanks for getting back to me. We have been using these controls in our application. Recently we have submitted our application to a Scan which would report us for any possible vulnerabilities. As i have mentioned those three javascript files along with the couple of them have been identified as vulnerabilites for our application. I have included the screenshots for the same.
Also can you please help me in sending the recent versions of the javascript files for the below files.
ig_webcalendarview.js
ig_webdayview.js
ig_webGauge.js
ig_webmonthview.js
ig_webscheduleinfo.js
In the attachment i have included the screenshots where it has pin pointed the root for the vulnerability and also the function where the vulnerability has thrown. Please let me know the plan of action that you are going to take in this regard. Will you be working on our javascript files to fix the issue ?? . Also pls let me know if you need any other information.
Thank you for your reply.
As mentioned previously, please note that in order to investigate any possible vulnerabilities in the scripts, I would need a working sample illustrating how each of the mentioned functions may be potentially exploited. This would allow our engineers to examine this matter further. Note however that if any fixes are implemented, these would be released only for the versions having Service Release support, and not for 11.1.
Regarding the scripts used, please note that the ig_webtree.js relates to the UltraWebTree, a control which has been retired and is no longer maintained. No fixes are made anymore for that control therefore:
http://www.infragistics.com/support/product-lifecycle
Feel free to contact me if you need more information.
Please feel free to contact me if you need any additional information regarding this matter.
Sorry was working on other things which took more priority , At our end we use a security scanning tool called fortify Audit Workbench to scan our code and this tool has reported outstanding High issues which are all pointing to the Infragistics javascript functions. We need some one to address these issues for those javascript functions to resolve those issues so that our application will become less vulnerable.
ig_WebCalendarView.prototype.callbackRender = function(response, context)
Details of the Vulnerabilties
The file ig_webcalendarview.js interprets unvalidated user input as source code on line 503. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.
and the exact code where we have issues are
var json = eval(response.replace(/\^/g, "\""));
and the recommendations for this vulnerabilties are
avoid dynamic code interpretation whenever possible. If your program's functionality requires code to be interpreted dynamically, the likelihood of attack can be minimized by constraining the code your program will execute dynamically as much as possible, limiting it to an application- and context-specific subset of the base programming language.
If dynamic code execution is required, unvalidated user input should never be directly executed and interpreted by the application. Instead, a level of indirection should be introduced: create a list of legitimate operations and data objects that users are allowed to specify, and only allow users to select from the list. With this approach, input provided by users is never executed directly.
We have similar kind of issues reported for following javascript functions
all of them having the same vulnerability for the below code
Following were the OWASP standards reference being reported for these vulnerabilities
[1] A1 Injection, Standards Mapping - OWASP Top 10 2010 - (OWASP 2010)
[2] A1 Injection, Standards Mapping - OWASP Top 10 2013 - (OWASP 2013)
[3] A2 Injection Flaws, Standards Mapping - OWASP Top 10 2007 - (OWASP 2007)
[4] A3 Malicious File Execution, Standards Mapping - OWASP Top 10 2007 - (OWASP 2007)
[5] A6 Injection Flaws, Standards Mapping - OWASP Top 10 2004 - (OWASP 2004)
From your earlier where in you have asked for a working copy of the code, we could not provide that because ours is a financial firm and it becomes part of security violation if we share our code outside the firm. Thats the reason i have mentioned the vulnerabilities in here. So we need immediate attention for these issues so that we can close out these vulnerabilities ASAP.