Cross-Site Scripting warning with Internet Explorer 8 and Fabasoft eGov-Suite 8.0 SP1Permanent link for this heading

Last update: 4 August 2017

SummaryPermanent link for this heading

With an Internet Explorer update deployed by Windows Update, the Cross-Site Scripting Filter (XSS-Filter) of Internet Explorer was updated. With this update installed at the client, the Fabasoft eGov-Suite does not work as expected.

InformationPermanent link for this heading

Information about the Microsoft Security Bulletin MS11-099 can be found at http://technet.microsoft.com/security/bulletin/MS11-099 .

When you work in the Fabasoft eGov-Suite / Fabasoft Folio using Microsoft Internet Explorer and a new window is opened (e.g. by editing an object), you get a warning in the browsers Information Bar, Internet Explorer has modified this page to prevent a potential cross-site scripting attack. Click here for more information... . The window you opened stays empty.

Affected systemsPermanent link for this heading

Our current tests and feedback of our customers confirm this behaviour at least for the following configuration:

  • Fabasoft eGov-Suite 8.0 SP1 or Fabasoft Folio 2009, with
  • Microsoft Internet Explorer 8 and Microsoft Internet Explorer 9, and
  • Microsoft MS11-099 update (released 13.11.2011) installed

UPDATE: Fabasoft could verify that the behaviour also may occour with current Fabasoft Folio 2011 and Fabasoft Folio 2012 installations if VAPPs are opened in a new window (instead of the overlay technology). This issue is fixed in Fabasoft Folio 2012 Summer Release.

SolutionPermanent link for this heading

Solution 1Permanent link for this heading

The Internet Explorer zone "Local Intranet" has disabled the XSS-Filter by default. If you run Fabasoft eGov-Suite in the "Trusted sites" zone, move the URL to the "Local Intranet" zone. This will avoid the behaviour.

This setting can be rolled out by a domain policy.

Note: Please double-check, that XSS filter is disabled in the "Local Intranet" zone. If this is not the case, use solution 2.

Solution 2Permanent link for this heading

Use this workaround to disable the XSS filter for the used security zone in Internet Explorer and re-enable the functionality of Fabasoft eGov-Suite:

  • Open Microsoft Internet Explorer
  • Open "Internet Options"
  • Change to the "Security" tab
  • Select the zone where your Fabasoft eGov-Suite installation resides (usually "Local intranet" or "Trusted sites") and click "Custom level"
  • Set option "Enable XSS Filter" in the "Scripting" area to "Disable".

This setting can be rolled out by a domain policy.

Solution 3Permanent link for this heading

Use this workaround to let IIS send a special http header telling the client to disable the XSS filter for this specific webserver. This configuration is done on the webservers and therefore the easiest way to implement. No client configuration is necessary.

Windows Server 2008Permanent link for this heading

  • Open Internet Information Services (IIS) Manager on your Fabasoft webservers
  • Dependend to the location you want to set the http header, select the computer name (for a global setting) or each FSC directory (for individual setting)
  • Open the feature "HTTP Response Headers"
  • Add a new HTTP Response header with following values:
  • Name: X-XSS-Protection
  • Value: 0
  • Save the value by clicking OK and restart IIS (e.g. by iisreset)

Windows Server 2003Permanent link for this heading

  • Open Internet Information Services (IIS) Manager on your Fabasoft webservers
  • Dependend to the location you want to set the http header, select the element "Web Sites" (for a global setting) or each FSC directory (for individual setting) and right-click "Properties"
  • Open the tab "HTTP Headers"
  • In the area "Custom HTTP headers", click "Add..." and enter the following values:
  • Name: X-XSS-Protection
  • Value: 0
  • Save the value by clicking OK and restart IIS (e.g. by iisreset)

RedHat / Apache ServersPermanent link for this heading

1. Open /etc/fabasoft/web/Webservice_.conf for each Webservice
2. Add the module mod_headers

       LoadModule headers_module    /usr/lib64/httpd/modules/mod_headers.so

    

3. Add a line

       Header set  X-XSS-Protection "0"

    

for example into Directory section

       Options FollowSymLinks

  AllowOverride None

  Order allow,deny

  Allow from all

  Header set X-XSS-Protection "0"

    

4. Restart the Webservice

Applies toPermanent link for this heading

  • Fabasoft eGov-Suite 8.0 SP1 / 2012
  • Fabasoft Folio 2009 to 2012 Spring Release
  • Microsoft Internet Explorer 8/9

Download PDF

Download PDF