Portcullis CFC breaking AJaX submitted form

Report · Sep 03, 2015

Hello, all,

Is anyone else, here, using the Portcullis CFC??

I've got a form that is submitting via AJaX, and as long as I have JavaScript stripping out malicious code, it works great. But if I disable the client-side validation/sanitization and allow Portcullis to detect malicious code, Portcullis is set to redirect to the root index page if it detects anything. (I have further server-side validation/sanitization, in case JS is disabled.)

Since my form is submitted via AJaX and uses output to display error/success messages to the DOM, Portcullis is loading the main page as the content to display within the DOM of the form page!!

I do NOT have the option of disabling or otherwise skirting using Portcullis. I've tried modifying the Application.cfc to check the cgi.http_referer - if a particular page is the referrer, don't redirect. It's redirecting, anyway.

Any solutions to this without disabling Portcullis?

V/r,

^_^

Report · Sep 03, 2015

Are you testing FORM or URL variables (or both)? Are you dumping (or emailing) the failed form/URL parameters so you can determine what may be triggering it? What type of redirect are you performing? (I'm returning a 403 error instead of redirecting.)

Report · Sep 04, 2015

Hi, Jamo‌,

I am testing both form and URL scopes. If anything is found, it doesn't email or anything, it just redirects to the /index.cfm page.

I know _what_ is triggering it - I'm testing by placing HTML tags and HTML entities into a textarea. But I need to figure a way to get it to display an error message if triggered by a specific cgi.http_referer. In the Application.cfc, there is a line:

<cfif session.redirect eq 1>
    <cflocation url="/" addtoken="no" />
</cfif>

I modified this to:

<cfif session.redirect eq 1>
    <cfif trim(cgi.http_referer) eq "formpage.cfm">
        Please correct the following: blah blah blah <cfabort>
    <cfelse>
        <cflocation url="/" addtoken="no" />
    </cfif>
</cfif>

.. but the root index page still appears within the DOM of the form page.

V/r,

^_^

Report · Sep 04, 2015

CGI.Referer can be spoofed, not passed by the browser or stripped by proxy. I wouldn't be entirely trustworthy of it except for during specific testing.

Do you know which rules are failing? You could create a copy of the portcullis.cfc, modify it to add some reporting and then use it during your personal session instead of the regular one.

Which version of ColdFusion and hosted OS are you using?

We had to write some exceptions for CKEditor HTML values, but we use JSoup to sanitize it to identify/remove non-approved HTML. It's extremely effective and no XSS or unsupported HTML tags or parameters are returned in the result. (I like this solution too because it allows me to rewrite HTML so that it's more compatible with all email HTML clients.)

JSOUP - How to get list of disallowed tags found in html?

http://stackoverflow.com/a/30822689/693068

AntiSamy is another possible solution to sanitize HTML, but I haven't used it.

https://www.petefreitag.com/item/760.cfm

or ESAPI4CF:

https://github.com/damonmiller/esapi4cf

Report · Sep 08, 2015

Thank you for replying. This is soon to be a non-issue. The decision has been reached (and I like to think I helped push it along) to kick Portcullis to the curb - mostly because the last version was released January 2010. I am now in the process of trying to implement the new ESAPI for sanitization. So, I'll now be posting a question in the forum related to that.

Thanks, and V/r,

^_^

Adobe Community

Portcullis CFC breaking AJaX submitted form

1 Correct answer