6 Replies Latest reply on Apr 10, 2015 6:51 AM by Dave Ferguson

    Need help understanding security scan results.

    BreakawayPaul Level 2

      My agency recently started using HP's Fortify Scan tool, which is designed to scan CF code directly, rather than the rendered page.  The scanner always seems to flag our pages for a certain error when I use the following code (used to create a PDF on the fly):

       

      <cfheader name="Content-Disposition" value="attachment;filename=#pdffile#">
      <cfcontent type="application/octet-stream" file="#expandPath('.')#\#pdffile#" deletefile="Yes">
      

       

      01. is line 299 in my code.

       

      I'm basically generating a filename elsewhere on the page that's based on what a user is requesting, then using the code above to create a downloadable PDF of that file.

       

      The error is:

      Header Manipulation (Input Validation and Representation, Data Flow)

      The file myfile.cfm includes unvalidated data in an HTTP response header on line 299.  This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

       

      I'm thinking there's one of two potential issues.

      1. expandpath() is exploitable
      2. The scanner is programmed to flag any variable passed to a cfheader tag.

       

      Any thoughts?