Neo-security file changes

Explorer ,
Sep 08, 2017 Sep 08, 2017

Copy link to clipboard

Copied

I'm trying to adjust the neo-security.xml file on my CF9 instance to trap cross site scripting things like:

myurl.cfm/?'==alert(22)=='

myurl.cfm/?'++alert(22)'

I modified the xml like this but it seems I haven't gotten the regular expression right. 

  <data>

    <struct type="coldfusion.server.ConfigMap">

      <var name="admin.userid.root">

        <string>admin</string>

      </var>

      <var name="rds.security.enabled">

        <boolean value="true" />

      </var>

      <var name="admin.userid.required">

        <boolean value="false" />

      </var>

      <var name="contexts">

        <struct type="coldfusion.server.ConfigMap">

          <var name="/">

            <struct type="coldfusion.server.ConfigMap"></struct>

          </var>

        </struct>

      </var>

      <var name="CrossSiteScriptPatterns">

        <struct type="coldfusion.server.ConfigMap">

          <var name="\s*(object|embed|script|applet|meta|iframe))\b">

            <string>&lt;InvalidTag</string>

          </var>

          <var name="\\3F\\27*(\=|\+)*">

            <string>Inject</string>

          </var>

        </struct>

      </var>

      <var name="sbs.security.enabled">

        <boolean value="false" />

      </var>

      <var name="admin.security.enabled">

        <boolean value="true" />

      </var>

    </struct>

  </data>

CF throws an error.

"Error","scheduler-1","09/06/17","09:35:59",,"Unable to initialize Security service: coldfusion.server.ServiceException:

coldfusion.wddx.WddxDeserializationException:

   WDDX packet parse error at line 1, column 1. Content is not allowed in prolog.."

Any ideas on the correct format?

Views

245

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
no replies

Have something to add?

Join the conversation