?
Solved

coldfusion security

Posted on 2012-04-12
4
Medium Priority
?
365 Views
Last Modified: 2012-04-27
Hello,
A security scan was recently run on our web site and it showed some cross site scripting vulnerabilities. Mostly they are with CFID and CFTOKEN (see below for one of them). Is there a quick fix for this?

Cross-site scripting vulnerability found
Injected item: GET: CFID
Injection value: "/><iframe src=/lunder/' onLoad=alert(13318478.17087)
/></body></html><!--
Detection value: 13318478.17087
This is a reflected XSS vulnerability, detected in an alert that was an immediate response to the injection.
0
Comment
Question by:cbeverly
  • 3
4 Comments
 
LVL 36

Accepted Solution

by:
SidFishes earned 2000 total points
ID: 37837580
Switch to jsessionid's if possible.

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_23472564.html

I've written a blog post about CF & XSS here

http://sidfishes.wordpress.com/2009/03/17/60/

with a few tips.
0
 

Author Comment

by:cbeverly
ID: 37837665
Thank you for the post. This error code is from an application that we didn't write and are really going to re-contract out in a few months and we just want this old application to pass the security scan in the meantime. Is there a really quick fix I can use to accomplish this.
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37837793
well, as i noted in my post global script protection may help and that requires nothing but making a setting change in cfadmin.

If the application is written poorly without the other things I mention such as input sanitization, you won't have a "quick fix"
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37837815
on review of the OP, i see that it looks like an iframe injection - which won't be helped by global script protection (as noted in the example in my post)


the fix is quite simple though - all form variables need to have html stripped

rereplacenocase(form.aVariable,”<[^>]*>”, “”, “All”)

but you'd have to dig into the code to do that.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, I was working on some optimization and spam-stopping techniques when I encountered Ben Nadel's post to reduce spam feature using Math (http://www.bennadel.com/blog/197-How-I-Stop-Spammers-On-My-ColdFusion-Blog.htm). While this method is not o…
I spent nearly three days trying to figure out how incorporate OAuth in Coldfusion for the Eventful API. Hopefully, this article will allow Coldfusion Programmers to buzz through the API when they need to. Basically, what this script does is authori…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month16 days, 7 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question