Hi Kelly, I'd like to stress what richard said about a lot more security vulnerabilities. If a security specialist takes a closer look at the system, he will find a lot of different ways for acessing or even manipulating Data. In my opinion there's two most important rules: 1st: Secure the system against illegal acces. Put the system into a DMZ and use Firewall rules, IIS and maybe Proxy capabilities for securing the system. I remember there's a KB article regarding ports. 2nd: If necessary, protect the system against the most severe attacks from registered users. In previous times, the Windows user used as identity for processes started by CMS, was member of the admin group and had full access to the sever. You can limit this user's rights, so that only the files relevant for cms can be executed, deleted or changed where necessary. Hteres a KB article about that, too. Look for "windows user". In this case, IIS rights should be secured following common IIS security concepts, too. Doing that, you can prevent illegal access or manipulation of data via Script injection (asp, CGI or other Script Code). In my eyes, it is not possible to achieve a fully secure system though.
Kind regards, Boris Am Montag, 17. September 2012 16:34:30 UTC+2 schrieb Kelly Burns: > > Hi guys - I am sure somebody has run into this before; but I am at a > complete "dead end" here and need to resolve before our upcoming IT Audit. > :( > > Our IT Audit firm found our Web Site Management Server 10.1 SP2 (with SQL > 2008 db) poses a "significant security risk", in that it allows cross site > scripting (aka "XSS") to occur in the classic ASP portions of the app. > Obviously I need to correct this before our *next* audit (next month). > > Last September, when the audit found this info, I submitted this as a > ticket for resolution to OpenText Support. They said they would forward the > issue to development for analysis (this was a year ago). I realized I'd > not heard back from them on this issue & checked back on it this week. The > response was: > > *"This ticket was linked to a BUG ID: WSGMS-8216 currently there is no > resolution or much analysis on the issue, but it is now tracked by OpenText > and you can always use the aforementioned ID to track its status."* > > I searched all over OpenText KB for the bug, but it is not even listed > anyplace that I could find. I was hoping that surely *somebody *has had > the same issue and posted a workaround *somewhere *by now. :-( Well if > it exists, I still haven't found it! > > Has anyone else dealt with this?? If what if anything did you do to > secure RedDot properly? > > Thanks in Advance! > Kelly > > > -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/reddot-cms-users/-/5pmoS44rDwQJ. To post to this group, send email to reddot-cms-users@googlegroups.com. To unsubscribe from this group, send email to reddot-cms-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/reddot-cms-users?hl=en.