Does Gordanos software exhibit cross-site scripting vulnerabilities?

  1. Home
  2. Knowledge Base
  3. GMS
  4. Does Gordanos software exhibit cross-site scripting vulnerabilities?

Question

Web servers that enable CSS (Cross-site scripting) allow attackers to trick visiting web clients into executing
malicious code.

A Hacker constructs malicious code that includes scripts
enclosed in unparsed tags that will execute on the web client of visitors. By accepting tags in user input, a server may allow scripts embedded in the input to run in the authorization context of the server on the client. The server does not execute the script; it accepts the script from a hacker and serves the script to a visiting client. Then the client’s browser executes the script embedded in the HTML from the server. Embedded scripts may also change the action of form tags, changing what programs the form runs and where it sends information. The malicious request may be typed in directly or left in apparently innocent seeming links that anyone may follow, hiding the source of the request from logging.

Answer

We do convert < and > to &lt; and &gt; We also remove any of the following tags which may be embedded in a URI:

  • OBJECT
  • EMBED
  • LINK
  • SCRIPT
  • APPLET
  • STYLE

We therefore believe Gordano products are well protected from cross site scripting hazards and that you are not exposed on your implementation of GMS or GMS Webmail.

Keywords:security cross-site scripting WWW exposure

Was this article helpful?

Related Articles