Need help understanding security scan results.

Contributor ,
Apr 09, 2015 Apr 09, 2015

Copy link to clipboard

Copied

My agency recently started using HP's Fortify Scan tool, which is designed to scan CF code directly, rather than the rendered page.  The scanner always seems to flag our pages for a certain error when I use the following code (used to create a PDF on the fly):

<cfheader name="Content-Disposition" value="attachment;filename=#pdffile#">

<cfcontent type="application/octet-stream" file="#expandPath('.')#\#pdffile#" deletefile="Yes">

01. is line 299 in my code.

I'm basically generating a filename elsewhere on the page that's based on what a user is requesting, then using the code above to create a downloadable PDF of that file.

The error is:

Header Manipulation (Input Validation and Representation, Data Flow)

The file myfile.cfm includes unvalidated data in an HTTP response header on line 299.  This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

I'm thinking there's one of two potential issues.

  1. expandpath() is exploitable
  2. The scanner is programmed to flag any variable passed to a cfheader tag.

Any thoughts?

Views

1.9K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct Answer

Engaged , Apr 09, 2015 Apr 09, 2015
You need to scope the pdffile variable.  Without a specific scope it could be overwritten by incoming url or form variables.  I would try that then run the scan again.HTH,--Dave

Likes

Translate

Translate
Engaged ,
Apr 09, 2015 Apr 09, 2015

Copy link to clipboard

Copied

You need to scope the pdffile variable.  Without a specific scope it could be overwritten by incoming url or form variables.  I would try that then run the scan again.

HTH,

--Dave

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Apr 09, 2015 Apr 09, 2015

Copy link to clipboard

Copied

So you mean something like:

#request.pdffile#

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Apr 09, 2015 Apr 09, 2015

Copy link to clipboard

Copied

Yes... that is what I mean.

--Dave

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Apr 09, 2015 Apr 09, 2015

Copy link to clipboard

Copied

Thanks! I'll try that tomorrow.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Apr 10, 2015 Apr 10, 2015

Copy link to clipboard

Copied

Thanks Dave,

That cleaned up the scan results.  You rock!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Apr 10, 2015 Apr 10, 2015

Copy link to clipboard

Copied

LATEST

No problem.  Glad you got it all squared away.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines