You should in any case apply the scriptProtect security setting

Thanks!  I will take the v10 upgrade recommendation to my client.

As I mentioned the source is closed source ( encrypted ).  Can Portcullis still be implemented? and the features in v10 possible to implement in this situation?

and I guess back to my original question - Why doesn't enabling Global Script Protection seems to do anything?

For others... looks interesting:

Portcullis | CodFusion

Not sure why ScriptProtect didn't do its job.  It should have stripped out the script tag and everything in between.  Do the logs show anything?

If the files were encrypted, they can be decrypted.  Whomever encrypted them has the means to do so.  Is this person holding the files hostage?  I don't know if you can use a combination of encrypted and unencrypted files; I assume that if any files are encrypted, they all go through the same decryptor in order to be processed.  Sorry I can't be of more help on that front.

The features in v10 are code, so you would have to have access to the unencrypted files in order to insert canonicalize() into the mix.

V/r,

^_^

OK thanks I will have a look at the logs... I would really like to understand why script protect is not working.

This is a 3rd party software web application ($) and I guess they don't want to share the source for 2 reasons, protect their investment and breaking upgrade ability as they release new versions.

You can run encrypted & unencrypted files.

With the files being a third-party solution, and thusly encrypted, then even Portcullis can't help you, because you have to modify the application.cfc to scan the form, url, and cookie scopes.

This places all the burden of security squarely on the shoulders of said third-party.  If they can't code for security, but they encrypt everything they put out, then they are worthy of being dropped and replaced by someone who can do the code, for you.

Just my two cents.

V/r,

^_^

Totally agree...There are more recent versions we can update to that may resolve these issues, but we are looking for a short terms/ quick fix, but since scriptProtect appears to do nothing I think I will look at Portcullis via Application.cfc ( if I can unencrypt it ).

I'm not sure how that would work, honestly.  You'd have to unecrypt the .cfm file(s), make changes, then re-encrypt using the same key.  I think only the developers have that ability.  I mean, you _could_ build a server farm of 20 or 30 servers to run unencryption algorithms on the files, but who knows how long that could take.

Unfortunately, with the third-party that created your turnkey solution, I don't think there are any immediate workarounds for your issue.  Unless someone else can think of something that I'm just blind to.

V/r,

^_^

Thanks again for your feedback and Portcullis recommendation!

You don't have to re-encrypt... I have done this is the past and it works fine and actually the developer includes a few unencyrpted files with the original distribution.   Having said that I would only want to deal with Application.cfc otherwise it's way to much to re-work.

I guess I still can't mark this thread correct or closed as the original question remains.

codeshed wrote: I guess I still can't mark this thread correct or closed as the original question remains.

Up to you.  Good luck with the Portcullis.  It hasn't been updated in years, but it still works quite well for CF9 and earlier.

V/r,

^_^

As you have discovered, the setting for script-protection is (in Application.cfc):

this.scriptProtect="all"; /* Alternative values are "none" or a comma-delimited list of the scopes you wish to protect */

There is a risk if you fill in a wrong value. Remember that, here, as with most other ColdFusion settings, the value that you set within the application overrides that of the Coldfusion Administrator. Filling the wrong value in Application.cfc may therefore make the setting ineffective. That is perhaps what happened.

WolfShade wrote: But, to be honest, the best thing you can do is upgrade to AT LEAST CF10, so you can take advantage of canonicalize() and the ESAPI features that are new to CF10.

Just for information: you can apply canonicalize in Coldfusion 8 and 9. For example,

<cfset strText = 'Hello, world. This is the &lt;strong&gt;greatest&lt;/strong&gt; example in the world.' />

<!--- Instantiate the ESAPI object. --->

<cfset objESAPI     = createObject("java","org.owasp.esapi.ESAPI") />

<!--- Assign the Encoder class to a new variable. --->

<cfset objEncoder     = objESAPI.encoder() />

<!--- Canonicalize the provided string. --->

<cfset strText = objEncoder.canonicalize(strText, false)>

canonicalized: <cfoutput>#strText#</cfoutput>

See Canonicalize Method in ColdFusion 8 and ColdFusion 9 || Matt Gifford - Monkeh Works Ltd

Trying to further secure the app, but only have access to some of the source code.... Adding scriptprotect="all" to the application.cfc catches some XSS options, but for things like this entered into a text field don't get caught by default:

1234" style="background:expression(alert(1345))

Adjusting the neo-security.xml to something like this helps, but I am sure there are other ways to inject undesirable stuff in to form fields:

<struct type='coldfusion.server.ConfigMap'>

      <var name='&lt;\s*(object|embed|script|applet|meta|iframe)'>

        <string>&lt;InvalidTag</string>

        </var>

      <var name='style=|iframe|:expression|script|src|}|{'>

        <string>++</string>

        </var>

  </struct>

Ideally I would like the reg expressions to clear the string if it finds anything it doesn't like, but it seems these setting only do a direct replace.

Anyone have a better Idea of how these setting works?

PS - I don't think I can introduce "canonicalize" mentioned above as I don't source code access to the various forms.