AnsweredAssumed Answered

QID 86175 - Is it valid?

Question asked by Chris Perry on Nov 11, 2013

VM scan across an ArcGIS 10.1 server returns QID 86175 "Web Server/ Web Application Vulnerable to Cross-Site Scripting Attacks".  Looking at the scan results, it looks as though the issue is sending a carefully crafted URL to a webserver that is supposed to cause a script to be executed in the clients browser via the returned 404 page.  When I attempt the same, however, all of the returned URL's are properly escaped so that no javascript is executed.  It looks as though Qualys is unescaping the returned results to trigger the vulnerability, which doesn't much look like a vulnerability in the service itself to me.


Can anyone confirm my take on this (that the fact that the web service returns the URL path, properly escaped is not a CSS vulnerability)  or could someone give me a URL suffix to try that could trigger the issue (I can use wget or a java http request or whatever if necessary).