Accessibility

Security bulletin

Patch available for RoboHelp Cross-Site Scripting issue

Release date: May 8, 2007

Vulnerability identifier: APSB07-10

CVE number: CVE-2007-1280

Platform: All Platforms

Affected software versions: RoboHelp 6, RoboHelp Server 6, RoboHelp X5

Summary

A specially crafted URL could be used to create a cross-site scripting attack against files generated by RoboHelp 6, RoboHelp X5 or RoboHelp Server 6. 

Solution

RoboHelp 6 and RoboHelp X5:

Adobe recommends RoboHelp 6 and RoboHelp X5 users apply the relevant update(s) using the installation instructions below under the heading To install, or, if the whstart.js file has previously been modified and is no longer the default file, update their installation manually using the instructions provided below under the relevant heading.

NOTE: As always, test the changes in a non-production environment before applying the changes to the production environment.

To install for WebHelp:

  1. Download the update file. The files contained are whstart.js and whcsh_home.htm
  2. Place the updated whstart.js into <installfolder>\WebHelp5Ext\template_stock, replacing the old file
  3. Place the updated whcsh_home.htm into <installfolder>\WebHelp5Ext\template_csh, replacing the old file.
  4. Restart RoboHelp.
  5. Re-generate RoboHelp content.
  6. Replace existing content with newly generated RoboHelp content.

For customers who have customized templates — to manually update file(s) for WebHelp:

  1. Locate whstart.js in and whcsh_home in the <installfolder>\WebHelp5Ext directory.
  2. Download and unzip the update file. Locate the updated whstart.js and whcsh_home.htm.
  3. Note that various string assignment have been changed with the IsInternal() function call.
  4. Incorporate these changes into whstart.js file and whcsh_home.htm in your customized templates.
  5. Add the new function IsInternal() from the whstart.js and whcsh_home.htm.
  6. Restart RoboHelp.
  7. Regenerate output after these changes are done in the templates.

To install for FlashHelp or FlashHelp Pro:

  1. Download the update file. The files contained are wf_startpage.js and wf_startqs.htm
  2. Place the updated wf_startpage.js into <installfolder>\RoboHTML\WildFireExt\template_stock, replacing the old file
  3. Place the updated wf_startqs.htm into <installfolder>\RoboHTML\WildFireExt\template_stock, replacing the old file.
  4. Restart RoboHelp.
  5. Re-generate RoboHelp content.
  6. Replace existing content with newly generated RoboHelp content.

For customers who have customized templates — to manually update file(s) for FlashHelp or FlashHelp Pro:

  1. Locate the wf_startpage.js and wf_startqs.htm in the <installfolder>\RoboHTML\WildFireExt\template_stock folder.
  2. Download and unzip the update file. Locate the updated wf_startpage.js and wf_startqs.htm.
  3. Note that various string assignment have been changed with the IsInternal() function call.
  4. Incorporate these changes into the wf_startpage.js and wf_startqs.htm in your customized templates.
  5. Add the new function IsInternal() from the wf_startpage.js and wf_startqs.
  6. Restart RoboHelp.
  7. Regenerate output after these changes are done in the templates.

RoboHelp Server 6:

Adobe recommends RoboHelp Server 6 users apply the following update using the installation instructions below.

  1. Download the update file. The file contained is WindowManager.dll.
  2. Stop RoboHelp Server 6. (Note: WindowManager.dll is used by ProtocolHost.exe and ProtocolHost.exe may need to be ended through the Task Manager if WindowManager.dll is still in use after RoboHelp Server 6 has been stopped.)
  3. Place the updated WindowManager.dll file at the root of the RoboHelp Server 6 installation folder, overwriting the existing WindowManager.dll file.
  4. Restart RoboHelp Server 6.

Severity rating

Adobe categorizes this as an important issue and recommends affected users patch their installations.

Details

A specially crafted URL could be used to create a cross-site scripting attack against files generated by RoboHelp 6. This issue is remotely exploitable.

Acknowledgments:

Adobe would like to thank Michael Domberg of Devtarget.org for reporting this vulnerability and for working with us to help protect our customers' security.

Adobe disclaimer

License agreement

By using software of Adobe Systems Incorporated or its subsidiaries ("Adobe"); you agree to the following terms and conditions. If you do not agree with such terms and conditions; do not use the software. The terms of an end user license agreement accompanying a particular software file upon installation or download of the software shall supersede the terms presented below.

The export and re-export of Adobe software products are controlled by the United States Export Administration Regulations and such software may not be exported or re-exported to Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any country to which the United States embargoes goods. In addition; Adobe software may not be distributed to persons on the Table of Denial Orders; the Entity List; or the List of Specially Designated Nationals.

By downloading or using an Adobe software product you are certifying that you are not a national of Cuba; Iran; Iraq; Libya; North Korea; Sudan; or Syria or any country to which the United States embargoes goods and that you are not a person on the Table of Denial Orders; the Entity List; or the List of Specially Designated Nationals.

If the software is designed for use with an application software product (the "Host Application") published by Adobe; Adobe grants you a non-exclusive license to use such software with the Host Application only; provided you possess a valid license from Adobe for the Host Application. Except as set forth below; such software is licensed to you subject to the terms and conditions of the End User License Agreement from Adobe governing your use of the Host Application.

DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS WARRANTIES TO YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING PROVIDED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL WARRANTIES WITH REGARD TO THE SOFTWARE; EXPRESS OR IMPLIED; INCLUDING; WITHOUT LIMITATION; ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR NONINFRINGEMENT OF THIRD PARTY RIGHTS. Some states or jurisdictions do not allow the exclusion of implied warranties; so the above limitations may not apply to you.

LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS OF USE; INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL; INCIDENTAL; OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT; TORT (INCLUDING NEGLIGENCE); STRICT PRODUCT LIABILITY OR OTHERWISE; EVEN IF ADOBE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states or jurisdictions do not allow the exclusion or limitation of incidental or consequential damages; so the above limitation or exclusion may not apply to you.