• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Cross Site Scripting bug with cfparam?

New Here ,
Dec 12, 2015 Dec 12, 2015

Copy link to clipboard

Copied

This is really strange.

I got a message from xssposed.org that my website is vulnerable to cross site scripting. They gave me a url that a specially crafted url variable could cause a pop up alert on my website.

I narrowed it down to cfparam.

Create a file that just has:

<cfparam name="video" default="1" type="integer">

Name the file test.cfm

Upload it and go to your website:  xxxxx.com/test.cfm?video=%22%3E%3Csvg/onload=prompt(/XSS/)%3E

It is seen best using firefox.

This website is running an old version of coldfusion  8.01  (It is for a small cancer charity that can't afford to upgrade). I also maintain a few websites on a server that is running coldfusion 10 enterprise, so I tried it there also and the same thing happens.

If I replace type = "integer" with type - "any" it doesn't happen. 

Does this happen on the current version of coldfusion?  The admin option for "enable global script protect" is enabled

Views

1.1K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 12, 2015 Dec 12, 2015

Copy link to clipboard

Copied

I figured out what is happening.  This is bizarre.  The cfparam tag triggers an error which generates a cold fusion error page that says   The value specified, "><svg/onload=prompt(/XSS/)>", must be a valid integer.  

When that is displayed in fireox, it executes javascript.

Then I have site-wide error handling that switches you to the custom error page but the coldfusion error page displays for a fraction of a second, long enough to fire off that javascript.

Any way to stop that?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 13, 2015 Dec 13, 2015

Copy link to clipboard

Copied

You should in any case apply the scriptProtect security setting.

In Application.cfm:

<cfapplication scriptProtect="all">

In Application.cfc:

<cfcomponent>

    <cfset this.scriptProtect="all">

</cfcomponent>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 13, 2015 Dec 13, 2015

Copy link to clipboard

Copied

Thanks. but as I said above the global script protect is turned on in the administrator. I assume that means I do not have to do it in the application file also?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 13, 2015 Dec 13, 2015

Copy link to clipboard

Copied

Ah, I see it now. My suggestion is equivalent to enabling scriptProtect in the Administrator. That should be enough protection against the cross-site scripting that you describe.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 16, 2015 Dec 16, 2015

Copy link to clipboard

Copied

No - you missed it. Let me explain again:

(This happens in cf 8 and 10 - not sure if 11.  And with script protect enabled)

If you just have a cfparam tag with type = integer and pass it something that is not an integer, you get an error page that displays the invalid url parameter.  If that url parameter is a script. it gets executed.

If you have a custom error page in place, that cold fusion error page still gets sent to the browser for a fraction of a second - just long enough to execute the script - before the custom error page is displayed.

    In the example I showed above, you can't see it in chrome but in firefox you will see an alert box show up for about a second. You may have to do it a few times to see it (or to make it easy - turn off the custom error pages and the alert stays on the screen)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Dec 17, 2015 Dec 17, 2015

Copy link to clipboard

Copied

ScriptProtect is a very minimal XSS protection.

The default error pages for CF10-11 should be properly encoded to prevent XSS (using encodeForHTML for example). Older versions of CF did have some issues with not properly encoding error messages in the default error template, but those were patched in security hotfixes to the best of my knowledge. Make sure you have applied all the updates.

It is not my experience that CF's default error page will show for a second and then redirect to your own custom error page - so that is probably specific to your setup (are you talking about IIS error page perhaps).

The way to get around this is to add a value to the "

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Dec 17, 2015 Dec 17, 2015

Copy link to clipboard

Copied

The problem is that you do not have an error trap configured and you're relying on the default CF and/or web server error pages. The later CF and newer IIS (if that is your web server) has better default error pages to prevent XSS attacks like this but IMHO you still should not be relying on default error traps. Write your own, log the errors, display user friendly pages when errors occur, maybe send email alerts on certain thresholds, etc. Research CFERROR and/or application.cfc onError event.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 17, 2015 Dec 17, 2015

Copy link to clipboard

Copied

Musella wrote:

No - you missed it. Let me explain again:

(This happens in cf 8 and 10 - not sure if 11.  And with script protect enabled)

If you just have a cfparam tag with type = integer and pass it something that is not an integer, you get an error page that displays the invalid url parameter.  If that url parameter is a script. it gets executed.

If you have a custom error page in place, that cold fusion error page still gets sent to the browser for a fraction of a second - just long enough to execute the script - before the custom error page is displayed.

    In the example I showed above, you can't see it in chrome but in firefox you will see an alert box show up for about a second. You may have to do it a few times to see it (or to make it easy - turn off the custom error pages and the alert stays on the screen)

Sorry, I could only test the issue on ColdFusion 11, as it is the version I have. The result was an error ("Invalid parameter type"), and no Javascript execution.

You should please report a bug. (For Coldfusion 10; Adobe no longer supports CF8)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 20, 2015 Dec 20, 2015

Copy link to clipboard

Copied

Thanks for the responses. Since it doesn't happen in the latest version of cold fusion, I will drop it.

I worked around it on my website on cf8..  it is using custom error pages but the default error page does seem to fire for a split second. Long enough for the problem.

I tried to make sure the server is patched but can't find version 8 patches any more.. Anyone happen to have a copy of them?  What was the last fully patched version?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Dec 21, 2015 Dec 21, 2015

Copy link to clipboard

Copied

LATEST

There's a community archive of ColdFusion installers and hotfixes here: http://www.gpickin.com/cfrepo/

-Carl V.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation