Addressing security scan results

Question

My office uses something called "IBM Security AppScan Standard" to scan web apps.  Two of the things it scans for (of course) are XSS and SQL injection.One of my pages got flagged despite my use of cfqueryparam, isValid(), and htmleditformat().  What happens is if you intercept the post data from the form and append something like &foo to a numeric value, you get back a CF error page that looks something like this:500 - Internal server error.

ROOT CAUSE: 
java.lang.IllegalArgumentException
at coldfusion.filter.FormScope.parseQueryString(FormScope.java:349)
at coldfusion.filter.FormScope.parsePostData(FormScope.java:321)
at coldfusion.filter.FormScope.fillForm(FormScope.java:271)
at coldfusion.filter.FusionContext.SymTab_initForRequest(FusionContext.java:437)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:33)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126)
at coldfusion.CfmServlet.service(CfmServlet.java:175)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
at jrun.servlet.FilterChain.service(FilterChain.java:101)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
I've tried just about everything to get rid of this, including cftry/cfcatch, isvalid, replace(), and a few other things, but I still get the 500 error.I'm pretty sure the error is what's triggering the security alert.  Any ideas on how to fix this?

Dave Ferguson · Answer

The actual code that is causing the error would be helpful.

500 - Internal server error.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded