This is a migrated thread and some comments may be shown as answers.

Cross-site Scripting (XSS) Vulnerability in Report Viewer

7 Answers 143 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Bill
Top achievements
Rank 1
Bill asked on 11 Jan 2013, 12:43 PM
Hi there!

We’ve identified that the reporting component returns verbose error messages with a 200 HTTP status code, making our application vulnerable to XSS attacks. 

Please could you contact us privately, as soon as possible for more details.

Thanks, in advance.

7 Answers, 1 is accepted

Sort by
0
Robbie Hughes
Top achievements
Rank 1
answered on 17 Jan 2013, 04:10 PM
Hi there

Could someone from Telerik please answer this question?

Thanks
0
Chavdar
Telerik team
answered on 21 Jan 2013, 05:46 PM
Hi guys,

The report viewer communicates only with its http handler which returns verbose error messages only when there is a problem while processing or rendering the reports. In this way the web application is protected as the attacker cannot gain access to sensitive data by sending requests to the report viewer's handler.

Kind regards,
Chavdar
the Telerik team

HAPPY WITH REPORTING? Do you feel that it is fantastic? Or easy to use? Or better than Crystal Reports? Tell the world, and help fellow developers! Write a short review about Telerik Reporting and Telerik Report Designer in Visual Studio Gallery today!

0
Bill
Top achievements
Rank 1
answered on 20 Mar 2013, 10:53 AM
Hi Chavdar

Thanks for your reply. I am sorry for my late response!

Unfortunately your answer doesn't address our concern. In order to be specific about why, we would rather email the details than post security flaws about our software on the web. To that end, please could you provide us with an email address that we can use to send the results from our penetration testing?

Many thanks
0
Peter
Telerik team
answered on 25 Mar 2013, 08:10 AM
Hi Bill,

Our suggestion is to open a general feedback thread.

All the best,
Peter
the Telerik team

Telerik Reporting Q1 2013 available for download with impressive new visualizations. Download today from your account.

0
Ervinna
Top achievements
Rank 1
answered on 28 May 2013, 10:07 AM
Hi There,

I am using Telerik 2011_2_712 to develop project.
But Telerik does not pass the penetration test. 
I have a list of issue found which causes the penetration test fail in Excel file.
How can i send you the file?
Is it being fixed?

Thanks.

0
Ervinna
Top achievements
Rank 1
answered on 29 May 2013, 03:11 PM
Hi all,

Is anyone facing the same problem which telerik did not pass the penetration test?
0
Bill
Top achievements
Rank 1
answered on 30 May 2013, 09:44 AM
Hi Ervinna

We had problems with this too, as you can see on earlier posts. Telerik advised us to report via an open feedback thread (link in Peter's post).

Cheers

Bill
Tags
General Discussions
Asked by
Bill
Top achievements
Rank 1
Answers by
Robbie Hughes
Top achievements
Rank 1
Chavdar
Telerik team
Bill
Top achievements
Rank 1
Peter
Telerik team
Ervinna
Top achievements
Rank 1
Share this question
or