JsessionID Cross Site Sccripting Bug

Question

Hacker Safe Found the following cross site scripting issue on
our server.

index.cfm?CFID=6766970&CFTOKEN=32892658&jsessionid=4c3035dcfc2d1
f43303b%3F%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3
E%3C%22%3
D1

The Global protect is on, and the patch is applied, but still
the javascript
executes.

We have corrected it using <cfif
#UrlDecode("#cgi.QUERY_STRING#")# contains "<"> but I would
like to know if there is a patch / hotfix for this

Newsgroup_User · Answer

cafebritt wrote:> Hacker Safe Found the following cross site scriptingissue on our server.> >index.cfm?CFID=6766970&CFTOKEN=32892658&jsessionid=4c3035dcfc2d1>f43303b%3F%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3> E%3C%22%3> D1> > The Global protect is on, and the patch is applied, butstill the javascript> executes.> > We have corrected it using "<"> but I would like to know if there is a patch/ hotfix for thisYou can patch this yourself :) The regular expressions thatare used by the Global Script Protect function are located in theneo-security.xml file. Just update them.Since this is a user-to-user forum and not a user-to-adobeforum I would recommend you file a bugreport at http://adobe.com/go/wish/Jochem-- Jochem van DietenAdobe Community Expert for ColdFusion

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded