Rex Bloom's questions -server

Rex Bloom

Asked: 2020-07-08 13:19:01 +0800 CST

Has Microsoft documented XSS mitigation for bootstrap and jquery XSS vulnerabilities in their online hosted products?

0

I am reviewing a web scan vulnerability report and believe Microsoft has mitigated the vulnerabilities reported (based on jquery and bootstrap versions) but finding documentation from Microsoft would be helpful.

"According to its self-reported version number, Bootstrap is 3.x prior 3.4.1 or 4.x prior to 4.3.1. Therefore, it may be affected by a cross-site scripting vulnerability via data-template attribute for tooltip and popover plugins. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number."

"According to its self-reported version number, jQuery is at least 1.4.0 and prior to 1.12.0 or at least 1.12.4 and prior to 3.0.0-beta1. Therefore, it may be affected by a cross-site scripting vulnerability due to cross-domain ajax request performed without the dataType. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number."

This is for a site hosted in Dynamics CRM 9.1.0.18950.

Thank you!

Rex Bloom

Asked: 2015-02-27 08:51:08 +0800 CST

Any idea why SFTP works differently based on the client machine/network

1

I have an odd situation.

From Computer A with PSFTP.EXE (putty sftp client) I can connect to a remote sftp server and use dir and chdir to browse around. If I try to get or put files I get a permission error.

From Computer B with PSFTP.EXE (same version) I can connect to the SAME server with the SAME credentials and use dir, chdir to browse around and also get/put work.

The only difference is that Computer A is behind a firewall that blocks outgoing traffic. The firewall admin opened port 22 for me. Previous to that I could not even connect.

I am confused because obviously data is flowing in both directions (directory listings return data). And I know that I am connecting to the same server (files put by computer B show up in directory listings from Computer A)

Is there anything I can have the firewall admin look at that would allow such behavior?
i.e. connections are allowed, dir&chdir are allowed but file transmissions get/put are denied? in fact all file changes are denied (mv, ren, rm, etc)

I know it sounds like a permissions issue on the server but if that were the case I would expect Computer B to have the same trouble and it has absolutely no problems.

Edit #1

Here is Computer A's session details: (slightly changed to protect sensitive data)

psftp> open servername.com
Looking up host "servername.com"
Connecting to x.x.x.x port 22
**Server version: SSH-2.0-OpenSSH_4.6**
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.62
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 1024 
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
login as: username
password:
Sent password
Access granted
Opened channel for session
Started a shell/command
Connected to servername.com
Remote working directory is /


Here is Computer B's session details: (slightly changed to protect sensitive data)

psftp> open servername.com
Looking up host "servername.com"
Connecting to x.x.x.x port 22
**Server version: SSH-2.0-0.0**
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.62
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-1
Host key fingerprint is:
ssh-dss 1024 ...
Initialised AES-256 CBC client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 CBC server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Pageant is running. Requesting keys.
Pageant has 0 SSH-2 keys
login as: username
password:
Sent password
Access granted
Opened channel for session
Started a shell/command
Connected to servername.com
Remote working directory is /

Rex Bloom

Asked: 2015-02-25 14:50:44 +0800 CST

What firewall configuration do I need for SFTP to be able to put files on a remote server

2

I have a situation in production where SFTP (using Putty PSFTP) is working when I connect and list files on a remote server but put and get fail with error permission denied.

In my dev environment I can use psftp and filezilla with the same username/password to the same remote server and get/put files as expected.

This leads me to think that somehow the network/firewall is blocking my get/put commands in some way but so far I cannot figure out what is going on.

Has Microsoft documented XSS mitigation for bootstrap and jquery XSS vulnerabilities in their online hosted products?

Any idea why SFTP works differently based on the client machine/network

What firewall configuration do I need for SFTP to be able to put files on a remote server

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?