Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

coldfusion security

Posted on 2012-04-12
4
Medium Priority
?
363 Views
Last Modified: 2012-04-27
Hello,
A security scan was recently run on our web site and it showed some cross site scripting vulnerabilities. Mostly they are with CFID and CFTOKEN (see below for one of them). Is there a quick fix for this?

Cross-site scripting vulnerability found
Injected item: GET: CFID
Injection value: "/><iframe src=/lunder/' onLoad=alert(13318478.17087)
/></body></html><!--
Detection value: 13318478.17087
This is a reflected XSS vulnerability, detected in an alert that was an immediate response to the injection.
0
Comment
Question by:cbeverly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 36

Accepted Solution

by:
SidFishes earned 2000 total points
ID: 37837580
Switch to jsessionid's if possible.

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23472564.html

I've written a blog post about CF & XSS here

http://sidfishes.wordpress.com/2009/03/17/60/

with a few tips.
0
 

Author Comment

by:cbeverly
ID: 37837665
Thank you for the post. This error code is from an application that we didn't write and are really going to re-contract out in a few months and we just want this old application to pass the security scan in the meantime. Is there a really quick fix I can use to accomplish this.
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37837793
well, as i noted in my post global script protection may help and that requires nothing but making a setting change in cfadmin.

If the application is written poorly without the other things I mention such as input sanitization, you won't have a "quick fix"
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37837815
on review of the OP, i see that it looks like an iframe injection - which won't be helped by global script protection (as noted in the example in my post)


the fix is quite simple though - all form variables need to have html stripped

rereplacenocase(form.aVariable,”<[^>]*>”, “”, “All”)

but you'd have to dig into the code to do that.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, I will be creating today a basic tutorial on how we can create a Mail Custom Function and use it where ever we want. The main advantage about creating a custom function is that we can accommodate a range of arguments to pass to the Function and …
This is an updated version of a post made on my blog over 3 years ago. It is unfortunately, still very relevant as we continue to see both SQLi (SQL injection) and XSS (cross site scripting) attacks hitting some of the most recognizable website and …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question