Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

coldfusion security

Posted on 2012-04-12
4
359 Views
Last Modified: 2012-04-27
Hello,
A security scan was recently run on our web site and it showed some cross site scripting vulnerabilities. Mostly they are with CFID and CFTOKEN (see below for one of them). Is there a quick fix for this?

Cross-site scripting vulnerability found
Injected item: GET: CFID
Injection value: "/><iframe src=/lunder/' onLoad=alert(13318478.17087)
/></body></html><!--
Detection value: 13318478.17087
This is a reflected XSS vulnerability, detected in an alert that was an immediate response to the injection.
0
Comment
Question by:cbeverly
  • 3
4 Comments
 
LVL 36

Accepted Solution

by:
SidFishes earned 500 total points
ID: 37837580
Switch to jsessionid's if possible.

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23472564.html

I've written a blog post about CF & XSS here

http://sidfishes.wordpress.com/2009/03/17/60/

with a few tips.
0
 

Author Comment

by:cbeverly
ID: 37837665
Thank you for the post. This error code is from an application that we didn't write and are really going to re-contract out in a few months and we just want this old application to pass the security scan in the meantime. Is there a really quick fix I can use to accomplish this.
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37837793
well, as i noted in my post global script protection may help and that requires nothing but making a setting change in cfadmin.

If the application is written poorly without the other things I mention such as input sanitization, you won't have a "quick fix"
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37837815
on review of the OP, i see that it looks like an iframe injection - which won't be helped by global script protection (as noted in the example in my post)


the fix is quite simple though - all form variables need to have html stripped

rereplacenocase(form.aVariable,”<[^>]*>”, “”, “All”)

but you'd have to dig into the code to do that.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how to open dropdown menu on page load without having to click? 4 95
paging 3 46
REReplaceNoCase help 1 43
ajaxSubmit is giving me an error 1 47
Hi, I will be creating today a basic tutorial on how we can create a Mail Custom Function and use it where ever we want. The main advantage about creating a custom function is that we can accommodate a range of arguments to pass to the Function and …
Hi, Even though I have created this Tutorial on My personal Blog, Some people might not able to find my website, So here i am posting it again Today, from the topic it is very clear that i will be showing you here the very basic usage of how we …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question