Need help understanding security scan results.

Question

My agency recently started using HP's Fortify Scan tool, which is designed to scan CF code directly, rather than the rendered page. The scanner always seems to flag our pages for a certain error when I use the following code (used to create a PDF on the fly):

<cfheader name="Content-Disposition" value="attachment;filename=#pdffile#">
<cfcontent type="application/octet-stream" file="#expandPath('.')#\#pdffile#" deletefile="Yes">

01. is line 299 in my code.

I'm basically generating a filename elsewhere on the page that's based on what a user is requesting, then using the code above to create a downloadable PDF of that file.

The error is:

Header Manipulation (Input Validation and Representation, Data Flow)

The file myfile.cfm includes unvalidated data in an HTTP response header on line 299. This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

I'm thinking there's one of two potential issues.

expandpath() is exploitable
The scanner is programmed to flag any variable passed to a cfheader tag.

Any thoughts?

Dave Ferguson · Accepted Answer

You need to scope the pdffile variable. Without a specific scope it could be overwritten by incoming url or form variables. I would try that then run the scan again.HTH,--Dave

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded