?
Solved

coldfusion security

Posted on 2012-04-12
4
Medium Priority
?
362 Views
Last Modified: 2012-04-27
Hello,
A security scan was recently run on our web site and it showed some cross site scripting vulnerabilities. Mostly they are with CFID and CFTOKEN (see below for one of them). Is there a quick fix for this?

Cross-site scripting vulnerability found
Injected item: GET: CFID
Injection value: "/><iframe src=/lunder/' onLoad=alert(13318478.17087)
/></body></html><!--
Detection value: 13318478.17087
This is a reflected XSS vulnerability, detected in an alert that was an immediate response to the injection.
0
Comment
Question by:cbeverly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 36

Accepted Solution

by:
SidFishes earned 2000 total points
ID: 37837580
Switch to jsessionid's if possible.

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23472564.html

I've written a blog post about CF & XSS here

http://sidfishes.wordpress.com/2009/03/17/60/

with a few tips.
0
 

Author Comment

by:cbeverly
ID: 37837665
Thank you for the post. This error code is from an application that we didn't write and are really going to re-contract out in a few months and we just want this old application to pass the security scan in the meantime. Is there a really quick fix I can use to accomplish this.
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37837793
well, as i noted in my post global script protection may help and that requires nothing but making a setting change in cfadmin.

If the application is written poorly without the other things I mention such as input sanitization, you won't have a "quick fix"
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37837815
on review of the OP, i see that it looks like an iframe injection - which won't be helped by global script protection (as noted in the example in my post)


the fix is quite simple though - all form variables need to have html stripped

rereplacenocase(form.aVariable,”<[^>]*>”, “”, “All”)

but you'd have to dig into the code to do that.
0

Featured Post

How to Create Failover DNS Record Sets in Route 53

Route 53 has the ability to easily configure DNS record sets specifically for failover scenarios. These failover record sets can be configured to failover to full-blown deployments in other regions or to a static HTML page that informs your customers of the issue.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article  is about submitting  form through  ColdFusion.Ajax.submitForm to the action page and send a response back in JSON format which later can be decoded using ColdFusion.JSON.decode. By this way you can avoid the usual page refresh for subm…
PROBLEM:  How to open a cfwindow or run a function on double click of a cfgrid row. One of my clients wanted to be able to double click on a row item to get more detailed information about a transaction and to be able to modify the line items i…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question