Details
-
Type:
Bug
-
Status:
Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 1.0.0
-
Fix Version/s: None
-
Component/s: JavaScript
-
Labels:None
-
Environment:Liferay Portal 6.0 RC2
Open JDK 6.0 64 bit
SuSE Linux Enterprise Server 11.0
MySQL Server 5.0
-
Similar Issues:
Description
We are using Rational AppScan to scan our in house applications for security problems. We keep getting a High level failure which states the following:
Flash parameter AllowScriptAccess was set to always
Vulnerable URL: http://<FQDN>/html/js/everything.jsp
Remediation Tasks: Set the AllowScriptAccess parameter to 'sameDomain' which tells the Flash
Player that only SWF files loaded from the same domain as the parent SWF
will have script access to the hosting web page.
It would appear that AppScan is finding the problem using the following URL: /html/js/everything.jsp?browserId=ie&themeId=classic&colorSchemeId=01&minifierType=js&minifierBundleId=javascript.everything.files&languageId=en_US&t=1276528710000 which returns a large block of script when entered. If I search for AllowScriptAccess it is in the script and set to always.
I did some searching and it looks like this particular script comes from /ROOT/html/js/aui/io on the server.
Is there any way that I can change this so that the AppScans successfully run?
Thanks,
Jamie