Copy link to clipboard
Copied
I'm trying to adjust the neo-security.xml file on my CF9 instance to trap cross site scripting things like:
myurl.cfm/?'==alert(22)=='
myurl.cfm/?'++alert(22)'
I modified the xml like this but it seems I haven't gotten the regular expression right.
<data>
<struct type="coldfusion.server.ConfigMap">
<var name="admin.userid.root">
<string>admin</string>
</var>
<var name="rds.security.enabled">
<boolean value="true" />
</var>
<var name="admin.userid.required">
<boolean value="false" />
</var>
<var name="contexts">
<struct type="coldfusion.server.ConfigMap">
<var name="/">
<struct type="coldfusion.server.ConfigMap"></struct>
</var>
</struct>
</var>
<var name="CrossSiteScriptPatterns">
<struct type="coldfusion.server.ConfigMap">
<var name="\s*(object|embed|script|applet|meta|iframe))\b">
<string><InvalidTag</string>
</var>
<var name="\\3F\\27*(\=|\+)*">
<string>Inject</string>
</var>
</struct>
</var>
<var name="sbs.security.enabled">
<boolean value="false" />
</var>
<var name="admin.security.enabled">
<boolean value="true" />
</var>
</struct>
</data>
CF throws an error.
"Error","scheduler-1","09/06/17","09:35:59",,"Unable to initialize Security service: coldfusion.server.ServiceException:
WDDX packet parse error at line 1, column 1. Content is not allowed in prolog.."
Any ideas on the correct format?
Have something to add?