Skip to main content
M
Musella
Participant
December 12, 2015
Question

Cross Site Scripting bug with cfparam?

  • December 12, 2015
  • 3 replies
  • 1431 views

This is really strange.

I got a message from xssposed.org that my website is vulnerable to cross site scripting. They gave me a url that a specially crafted url variable could cause a pop up alert on my website.

I narrowed it down to cfparam.

Create a file that just has:

<cfparam name="video" default="1" type="integer">

Name the file test.cfm

Upload it and go to your website:  xxxxx.com/test.cfm?video=%22%3E%3Csvg/onload=prompt(/XSS/)%3E

It is seen best using firefox.

This website is running an old version of coldfusion  8.01  (It is for a small cancer charity that can't afford to upgrade). I also maintain a few websites on a server that is running coldfusion 10 enterprise, so I tried it there also and the same thing happens.

If I replace type = "integer" with type - "any" it doesn't happen. 

Does this happen on the current version of coldfusion?  The admin option for "enable global script protect" is enabled

    This topic has been closed for replies.

    3 replies

    M
    MusellaAuthor
    Participant
    December 21, 2015

    Thanks for the responses. Since it doesn't happen in the latest version of cold fusion, I will drop it.

    I worked around it on my website on cf8..  it is using custom error pages but the default error page does seem to fire for a split second. Long enough for the problem.

    I tried to make sure the server is patched but can't find version 8 patches any more.. Anyone happen to have a copy of them?  What was the last fully patched version?

    Carl Von Stetten
    Carl Von Stetten
    Legend
    December 21, 2015

    There's a community archive of ColdFusion installers and hotfixes here: http://www.gpickin.com/cfrepo/

    -Carl V.

      BKBK
      Community Expert
      BKBKCommunity Expert
      Community Expert
      December 13, 2015

      You should in any case apply the scriptProtect security setting.

      In Application.cfm:

      <cfapplication scriptProtect="all">

      In Application.cfc:

      <cfcomponent>

          <cfset this.scriptProtect="all">

      </cfcomponent>

      M
      MusellaAuthor
      Participant
      December 13, 2015

      Thanks. but as I said above the global script protect is turned on in the administrator. I assume that means I do not have to do it in the application file also?

      BKBK
      Community Expert
      BKBKCommunity Expert
      Community Expert
      December 13, 2015

      Ah, I see it now. My suggestion is equivalent to enabling scriptProtect in the Administrator. That should be enough protection against the cross-site scripting that you describe.

      M
      MusellaAuthor
      Participant
      December 12, 2015

      I figured out what is happening.  This is bizarre.  The cfparam tag triggers an error which generates a cold fusion error page that says   The value specified, "><svg/onload=prompt(/XSS/)>", must be a valid integer.  

      When that is displayed in fireox, it executes javascript.

      Then I have site-wide error handling that switches you to the custom error page but the coldfusion error page displays for a fraction of a second, long enough to fire off that javascript.

      Any way to stop that?

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices