Copy link to clipboard
Copied
I am getting the ScriptProtect error replacing insecure tag in scope CGI error. This was brought up two other times in the history of the forum. Additionally it has not been truly addressed over the web. The problem that I am having is that the way that this is being addressed is very cursory. We all know that this can happen when ScriptProtect=all is turned on in the <cfapplication tag. The problem is that this is not related to the lib/neo-security.xml file. It can be resolved by removing the scriptprotect attribute, but we need this attribute for help with XSS attacks. I am running this on our site and though that it could have been something that I was passing in the URL but that is not the case. In fact, after removing all of the querystring and just calling the website directly after receiving that error. The error persists. It doesn't go away until I refresh the home page, close my browser or clear my cache.
The problem remains that when I go to a page, and pass certain values (which are not XSS related) and are not filitered out with the lib/neo-security.xml file I still get this error. Where is this error generated? Why does it reference the CGI scope of all things? How can this be resolved without removing the scriptprotect attribute?
Sincerely,
Braden Lake
Copy link to clipboard
Copied
Does anybody have an answer to this?
Copy link to clipboard
Copied
Braden Lake wrote:
Does anybody have an answer to this?
Nope.
Answer to what? What error did you actually get?
The only insight I can give is to why the cgi scope maybe called. The CGI scope includes date provide to the web server by the browser and is just as vulnerable to XSS modification by hackers as GET and POST data. Infact cgi.query_string is a copy of any GET date provided as URL parametes.
Copy link to clipboard
Copied
You could try Portcullis instead of the built in xss system in the CF Server. http://portcullis.riaforge.org/
Copy link to clipboard
Copied
What value did you set scriptprotect to?