Ticket ID: 21913 Creation Date: 8/24/2015 8:24 AM Product: SiteKiosk Classic Windows Attachment: -
TicketType: Support Request Version: - Language: English
Views: 36031 Last Modification Date: 9/22/2015 9:49 AM Platform: Windows
Level: Closed IE: 8.0
Bug Status: Not Fixed User account: Unknown Bug Frequency: Unknown

Support Request: Hong Kong International Airport Sitekiosk Browser can perform a XSS attack

Reproduction

Set a JavaScript filter

Description

With the default setting, the browser blocked 'JavaScript:' that don't allow us to run custom JavaScript code. Unfortunately, we found that we can run custom JavaScript with the 'about:' page.

Example: <script>alert("XSS")</script>
thank you

Answer: (4)
Re: Hong Kong International Airport Sitekiosk Browser can perform a XSS attack 8/24/2015 8:26 AM
Sorry it should be about:<script>alert("XSS")</script> at the URL to perform the attack.
Re: Hong Kong International Airport Sitekiosk Browser can perform a XSS attack 8/24/2015 7:45 PM
You can hide the URL bar by using the browser skin customization options. Go to >Basic >Start Page & Browser >Customize then in the Browser Toolbar menu uncheck the option "Display URL address field (applies to all skins with this field)".
Re: Hong Kong International Airport Sitekiosk Browser can perform a XSS attack 8/25/2015 9:39 AM
Hello,

We were able to reproduce this problem with using the Metro IE Skin and it has been forwarded to our developers to fix it for the next version.

As Workaround you can use one of the other Skins (e.g. Windows 7 IE8 or Default Skin) where this is blocked.

Regards,
Michael Olbrich
Re: Hong Kong International Airport Sitekiosk Browser can perform a XSS attack 10/7/2015 12:25 PM
Hello,

We just have released SiteKiosk 9 where this problem is fixed:
http://www.provisio.com/en-US/Downloads/Download.aspx?ItemId=1

Regards,
Michael Olbrich
My Account
Login
Language (Tickets):