Solved

coldfusion security

Posted on 2012-04-12
4
358 Views
Last Modified: 2012-04-27
Hello,
A security scan was recently run on our web site and it showed some cross site scripting vulnerabilities. Mostly they are with CFID and CFTOKEN (see below for one of them). Is there a quick fix for this?

Cross-site scripting vulnerability found
Injected item: GET: CFID
Injection value: "/><iframe src=/lunder/' onLoad=alert(13318478.17087)
/></body></html><!--
Detection value: 13318478.17087
This is a reflected XSS vulnerability, detected in an alert that was an immediate response to the injection.
0
Comment
Question by:cbeverly
  • 3
4 Comments
 
LVL 36

Accepted Solution

by:
SidFishes earned 500 total points
ID: 37837580
Switch to jsessionid's if possible.

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23472564.html

I've written a blog post about CF & XSS here

http://sidfishes.wordpress.com/2009/03/17/60/

with a few tips.
0
 

Author Comment

by:cbeverly
ID: 37837665
Thank you for the post. This error code is from an application that we didn't write and are really going to re-contract out in a few months and we just want this old application to pass the security scan in the meantime. Is there a really quick fix I can use to accomplish this.
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37837793
well, as i noted in my post global script protection may help and that requires nothing but making a setting change in cfadmin.

If the application is written poorly without the other things I mention such as input sanitization, you won't have a "quick fix"
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37837815
on review of the OP, i see that it looks like an iframe injection - which won't be helped by global script protection (as noted in the example in my post)


the fix is quite simple though - all form variables need to have html stripped

rereplacenocase(form.aVariable,”<[^>]*>”, “”, “All”)

but you'd have to dig into the code to do that.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CFC Lookup - When Not Found 5 71
https json cfhttp post 1 116
Coldfusion subreport - passing parameters 2 67
ColdFusion Need assistance updating my legacy zip function 13 40
Hi, I will be creating today a basic tutorial on how we can create a Mail Custom Function and use it where ever we want. The main advantage about creating a custom function is that we can accommodate a range of arguments to pass to the Function and …
Hi, Even though I have created this Tutorial on My personal Blog, Some people might not able to find my website, So here i am posting it again Today, from the topic it is very clear that i will be showing you here the very basic usage of how we …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question