Highlighted

Neo-security file changes

Explorer ,
Sep 08, 2017

Copy link to clipboard

Copied

I'm trying to adjust the neo-security.xml file on my CF9 instance to trap cross site scripting things like:

myurl.cfm/?'==alert(22)=='

myurl.cfm/?'++alert(22)'

I modified the xml like this but it seems I haven't gotten the regular expression right. 

  <data>

    <struct type="coldfusion.server.ConfigMap">

      <var name="admin.userid.root">

        <string>admin</string>

      </var>

      <var name="rds.security.enabled">

        <boolean value="true" />

      </var>

      <var name="admin.userid.required">

        <boolean value="false" />

      </var>

      <var name="contexts">

        <struct type="coldfusion.server.ConfigMap">

          <var name="/">

            <struct type="coldfusion.server.ConfigMap"></struct>

          </var>

        </struct>

      </var>

      <var name="CrossSiteScriptPatterns">

        <struct type="coldfusion.server.ConfigMap">

          <var name="\s*(object|embed|script|applet|meta|iframe))\b">

            <string>&lt;InvalidTag</string>

          </var>

          <var name="\\3F\\27*(\=|\+)*">

            <string>Inject</string>

          </var>

        </struct>

      </var>

      <var name="sbs.security.enabled">

        <boolean value="false" />

      </var>

      <var name="admin.security.enabled">

        <boolean value="true" />

      </var>

    </struct>

  </data>

CF throws an error.

"Error","scheduler-1","09/06/17","09:35:59",,"Unable to initialize Security service: coldfusion.server.ServiceException:

coldfusion.wddx.WddxDeserializationException:

   WDDX packet parse error at line 1, column 1. Content is not allowed in prolog.."

Any ideas on the correct format?

Views

238

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Neo-security file changes

Explorer ,
Sep 08, 2017

Copy link to clipboard

Copied

I'm trying to adjust the neo-security.xml file on my CF9 instance to trap cross site scripting things like:

myurl.cfm/?'==alert(22)=='

myurl.cfm/?'++alert(22)'

I modified the xml like this but it seems I haven't gotten the regular expression right. 

  <data>

    <struct type="coldfusion.server.ConfigMap">

      <var name="admin.userid.root">

        <string>admin</string>

      </var>

      <var name="rds.security.enabled">

        <boolean value="true" />

      </var>

      <var name="admin.userid.required">

        <boolean value="false" />

      </var>

      <var name="contexts">

        <struct type="coldfusion.server.ConfigMap">

          <var name="/">

            <struct type="coldfusion.server.ConfigMap"></struct>

          </var>

        </struct>

      </var>

      <var name="CrossSiteScriptPatterns">

        <struct type="coldfusion.server.ConfigMap">

          <var name="\s*(object|embed|script|applet|meta|iframe))\b">

            <string>&lt;InvalidTag</string>

          </var>

          <var name="\\3F\\27*(\=|\+)*">

            <string>Inject</string>

          </var>

        </struct>

      </var>

      <var name="sbs.security.enabled">

        <boolean value="false" />

      </var>

      <var name="admin.security.enabled">

        <boolean value="true" />

      </var>

    </struct>

  </data>

CF throws an error.

"Error","scheduler-1","09/06/17","09:35:59",,"Unable to initialize Security service: coldfusion.server.ServiceException:

coldfusion.wddx.WddxDeserializationException:

   WDDX packet parse error at line 1, column 1. Content is not allowed in prolog.."

Any ideas on the correct format?

Views

239

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 08, 2017 0

Have something to add?

Join the conversation