Cross-Site Scripting warning with Internet Explorer 8 and Fabasoft eGov-Suite 8.0 SP1

Last update: 4 August 2017

Summary

With an Internet Explorer update deployed by Windows Update, the Cross-Site Scripting Filter (XSS-Filter) of Internet Explorer was updated. With this update installed at the client, the Fabasoft eGov-Suite does not work as expected.

Information

Information about the Microsoft Security Bulletin MS11-099 can be found at http://technet.microsoft.com/security/bulletin/MS11-099 .

When you work in the Fabasoft eGov-Suite / Fabasoft Folio using Microsoft Internet Explorer and a new window is opened (e.g. by editing an object), you get a warning in the browsers Information Bar, Internet Explorer has modified this page to prevent a potential cross-site scripting attack. Click here for more information... . The window you opened stays empty.

Affected systems

Our current tests and feedback of our customers confirm this behaviour at least for the following configuration:

Fabasoft eGov-Suite 8.0 SP1 or Fabasoft Folio 2009, with
Microsoft Internet Explorer 8 and Microsoft Internet Explorer 9, and
Microsoft MS11-099 update (released 13.11.2011) installed

UPDATE: Fabasoft could verify that the behaviour also may occour with current Fabasoft Folio 2011 and Fabasoft Folio 2012 installations if VAPPs are opened in a new window (instead of the overlay technology). This issue is fixed in Fabasoft Folio 2012 Summer Release.

Solution

Solution 1

The Internet Explorer zone "Local Intranet" has disabled the XSS-Filter by default. If you run Fabasoft eGov-Suite in the "Trusted sites" zone, move the URL to the "Local Intranet" zone. This will avoid the behaviour.

This setting can be rolled out by a domain policy.

Note: Please double-check, that XSS filter is disabled in the "Local Intranet" zone. If this is not the case, use solution 2.

Solution 2

Use this workaround to disable the XSS filter for the used security zone in Internet Explorer and re-enable the functionality of Fabasoft eGov-Suite:

Open Microsoft Internet Explorer
Open "Internet Options"
Change to the "Security" tab
Select the zone where your Fabasoft eGov-Suite installation resides (usually "Local intranet" or "Trusted sites") and click "Custom level"
Set option "Enable XSS Filter" in the "Scripting" area to "Disable".

This setting can be rolled out by a domain policy.

Solution 3

Use this workaround to let IIS send a special http header telling the client to disable the XSS filter for this specific webserver. This configuration is done on the webservers and therefore the easiest way to implement. No client configuration is necessary.

Windows Server 2008

Open Internet Information Services (IIS) Manager on your Fabasoft webservers
Dependend to the location you want to set the http header, select the computer name (for a global setting) or each FSC directory (for individual setting)
Open the feature "HTTP Response Headers"
Add a new HTTP Response header with following values:
Name: X-XSS-Protection
Value: 0
Save the value by clicking OK and restart IIS (e.g. by iisreset)

Windows Server 2003

Open Internet Information Services (IIS) Manager on your Fabasoft webservers
Dependend to the location you want to set the http header, select the element "Web Sites" (for a global setting) or each FSC directory (for individual setting) and right-click "Properties"
Open the tab "HTTP Headers"
In the area "Custom HTTP headers", click "Add..." and enter the following values:
Name: X-XSS-Protection
Value: 0
Save the value by clicking OK and restart IIS (e.g. by iisreset)

RedHat / Apache Servers

1. Open /etc/fabasoft/web/Webservice_.conf for each Webservice
2. Add the module mod_headers

LoadModule headers_module /usr/lib64/httpd/modules/mod_headers.so

3. Add a line

Header set X-XSS-Protection "0"

for example into Directory section

Options FollowSymLinks

AllowOverride None

Order allow,deny

Allow from all