Cross Site Scripting bug with cfparam?

Report · Dec 12, 2015

This is really strange.

I got a message from xssposed.org that my website is vulnerable to cross site scripting. They gave me a url that a specially crafted url variable could cause a pop up alert on my website.

I narrowed it down to cfparam.

Create a file that just has:

Name the file test.cfm

Upload it and go to your website: xxxxx.com/test.cfm?video=%22%3E%3Csvg/onload=prompt(/XSS/)%3E

It is seen best using firefox.

This website is running an old version of coldfusion 8.01 (It is for a small cancer charity that can't afford to upgrade). I also maintain a few websites on a server that is running coldfusion 10 enterprise, so I tried it there also and the same thing happens.

If I replace type = "integer" with type - "any" it doesn't happen.

Does this happen on the current version of coldfusion? The admin option for "enable global script protect" is enabled

Report · Dec 12, 2015

I figured out what is happening. This is bizarre. The cfparam tag triggers an error which generates a cold fusion error page that says The value specified, "><svg/onload=prompt(/XSS/)>", must be a valid integer.

When that is displayed in fireox, it executes javascript.

Then I have site-wide error handling that switches you to the custom error page but the coldfusion error page displays for a fraction of a second, long enough to fire off that javascript.

Any way to stop that?

Report · Dec 13, 2015

You should in any case apply the scriptProtect security setting.

In Application.cfm:

In Application.cfc:

</cfcomponent>

Report · Dec 13, 2015

Thanks. but as I said above the global script protect is turned on in the administrator. I assume that means I do not have to do it in the application file also?

Report · Dec 13, 2015

Ah, I see it now. My suggestion is equivalent to enabling scriptProtect in the Administrator. That should be enough protection against the cross-site scripting that you describe.

Report · Dec 16, 2015

No - you missed it. Let me explain again:

(This happens in cf 8 and 10 - not sure if 11. And with script protect enabled)

If you just have a cfparam tag with type = integer and pass it something that is not an integer, you get an error page that displays the invalid url parameter. If that url parameter is a script. it gets executed.

If you have a custom error page in place, that cold fusion error page still gets sent to the browser for a fraction of a second - just long enough to execute the script - before the custom error page is displayed.

In the example I showed above, you can't see it in chrome but in firefox you will see an alert box show up for about a second. You may have to do it a few times to see it (or to make it easy - turn off the custom error pages and the alert stays on the screen)

Report · Dec 17, 2015

ScriptProtect is a very minimal XSS protection.

The default error pages for CF10-11 should be properly encoded to prevent XSS (using encodeForHTML for example). Older versions of CF did have some issues with not properly encoding error messages in the default error template, but those were patched in security hotfixes to the best of my knowledge. Make sure you have applied all the updates.

It is not my experience that CF's default error page will show for a second and then redirect to your own custom error page - so that is probably specific to your setup (are you talking about IIS error page perhaps).

The way to get around this is to add a value to the "Site-wide Error Handler" setting in ColdFusion administrator, and/or add an onError function to your Application.cfc file. An old school approach would be to use the cferror tag, but I find onError to be a great approach.

Report · Dec 17, 2015

The problem is that you do not have an error trap configured and you're relying on the default CF and/or web server error pages. The later CF and newer IIS (if that is your web server) has better default error pages to prevent XSS attacks like this but IMHO you still should not be relying on default error traps. Write your own, log the errors, display user friendly pages when errors occur, maybe send email alerts on certain thresholds, etc. Research CFERROR and/or application.cfc onError event.

Report · Dec 17, 2015

Musella wrote:

No - you missed it. Let me explain again:

(This happens in cf 8 and 10 - not sure if 11. And with script protect enabled)

If you just have a cfparam tag with type = integer and pass it something that is not an integer, you get an error page that displays the invalid url parameter. If that url parameter is a script. it gets executed.

If you have a custom error page in place, that cold fusion error page still gets sent to the browser for a fraction of a second - just long enough to execute the script - before the custom error page is displayed.

In the example I showed above, you can't see it in chrome but in firefox you will see an alert box show up for about a second. You may have to do it a few times to see it (or to make it easy - turn off the custom error pages and the alert stays on the screen)

Sorry, I could only test the issue on ColdFusion 11, as it is the version I have. The result was an error ("Invalid parameter type"), and no Javascript execution.

You should please report a bug. (For Coldfusion 10; Adobe no longer supports CF8)

Report · Dec 20, 2015

Thanks for the responses. Since it doesn't happen in the latest version of cold fusion, I will drop it.

I worked around it on my website on cf8.. it is using custom error pages but the default error page does seem to fire for a split second. Long enough for the problem.

I tried to make sure the server is patched but can't find version 8 patches any more.. Anyone happen to have a copy of them? What was the last fully patched version?

Report · Dec 21, 2015

There's a community archive of ColdFusion installers and hotfixes here: http://www.gpickin.com/cfrepo/

-Carl V.

Cross Site Scripting bug with cfparam?

Photos