Skip to main content
spradhan
spradhan
Inspiring
July 17, 2015
Question

Acunetix Web Vulnerability Scanner 10.0 deems the yui javascript included in CF 11 as vulnerable

  • July 17, 2015
  • 1 reply
  • 1454 views

Is there any way to clean these javascript files?

/cfide/scripts/ajax/yui/animation/animation-min.js

/cfide/scripts/ajax/yui/calendar/calendar-min.js

/cfide/scripts/ajax/yui/yahoo-dom-event/yahoo-dom-event.js

CVE-2010-4710 : Cross-site scripting (XSS) vulnerability in the addItem method in the Menu widget in YUI before 2.9.0 al…

      This topic has been closed for replies.

      1 reply

      A
      ArminMazariegos
      Participant
      August 6, 2015

      Hello,

      This is also a problem for us. We are in the process of getting a security certification and the fact that YUI 2 is deprecated (Announcing YUI 2.9.0) is causing us problems. Essentially, certifying company claims that having a deprecated javascript library makes our application highly vulnerable.

      Can you advise as to what you see as a comprehensive solution for us?

      S
      Steve Sommers
      Legend
      August 7, 2015

      Our scanners have not flagged us with this one yet as we have very limited use of CF11 thus far, but I imagine it will be an issue for us in the very near future. Worse case, you should be able to download the latest YUI and install it to the scripts folder (or scripts/ajax -- I'm not familiar with the YUI install path).

      A
      ArminMazariegos
      Participant
      August 14, 2015

      Hi, I wish we could have an option to upgrade YUI 2 from YUI 3 just by replacing some files. Let me give you an example.

      1. CFTOOLTIP is, mainly, generated from this file \CFIDE\scripts\ajax\package\cftooltip.js. Refer to line 32

      2. Line 32 of this file reads: YAHOO.util.Event.addListener(_580.context,"mouseout",ColdFusion.Tooltip.setToolTipOut,{"tooltip":_581});

      3. In YUI 3, the syntax is different, for "addListener" in YUI3 is "YUI.on"

      4. Hence, the effort to migrate from YUI 2 (year 2007) to YUI 3 then has to impact cf files which are important components of CF.

      5. This is to say this issue also impacts cftree, cfajax,cfautosuggest, cfcalendar and cfmenu.

      We are considering in creating our own tags (cf_) to replace these features fully as we do not see a easy patch for this.

      Do, also, note that ColdFusion is using other script frameworks like (EXTJS version 4.2 even though EXTJS is currently in version 6).

      At the same time, also it uses jQuery and jQuery UI. jQuery is outdated as well but that is an easy replacement you can do.

      We truly believe Coldfusion needs to centralize all the scripts and prevent mix up of frameworks and so migrations like this are easier to do. For now, we are better off not withou using UI gadgets that are coming out of the box from CF. CF 12 needs for sure consider this nightmare of scripting and do a solely partnership with EXT JS for example.

      Hope the above clarifies.

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices