4 Replies Latest reply on Aug 17, 2015 10:11 AM by Steve Sommers

    Acunetix Web Vulnerability Scanner 10.0 deems the yui javascript included in CF 11 as vulnerable

    spradhan

      Is there any way to clean these javascript files?

       

       

       

      /cfide/scripts/ajax/yui/animation/animation-min.js

      /cfide/scripts/ajax/yui/calendar/calendar-min.js

      /cfide/scripts/ajax/yui/yahoo-dom-event/yahoo-dom-event.js

       

      acunetix1.JPG

      acunetix2.JPG

      CVE-2010-4710 : Cross-site scripting (XSS) vulnerability in the addItem method in the Menu widget in YUI before 2.9.0 al…

        • 1. Re: Acunetix Web Vulnerability Scanner 10.0 deems the yui javascript included in CF 11 as vulnerable
          ArminMazariegos

          Hello,

           

          This is also a problem for us. We are in the process of getting a security certification and the fact that YUI 2 is deprecated (Announcing YUI 2.9.0) is causing us problems. Essentially, certifying company claims that having a deprecated javascript library makes our application highly vulnerable.

           

          Can you advise as to what you see as a comprehensive solution for us?

          • 2. Re: Acunetix Web Vulnerability Scanner 10.0 deems the yui javascript included in CF 11 as vulnerable
            Steve Sommers Level 4

            Our scanners have not flagged us with this one yet as we have very limited use of CF11 thus far, but I imagine it will be an issue for us in the very near future. Worse case, you should be able to download the latest YUI and install it to the scripts folder (or scripts/ajax -- I'm not familiar with the YUI install path).

            • 3. Re: Acunetix Web Vulnerability Scanner 10.0 deems the yui javascript included in CF 11 as vulnerable
              ArminMazariegos Level 1

              Hi, I wish we could have an option to upgrade YUI 2 from YUI 3 just by replacing some files. Let me give you an example.

               

              1. CFTOOLTIP is, mainly, generated from this file \CFIDE\scripts\ajax\package\cftooltip.js. Refer to line 32

              2. Line 32 of this file reads: YAHOO.util.Event.addListener(_580.context,"mouseout",ColdFusion.Tooltip.setToolTipOut,{"t ooltip":_581});

              3. In YUI 3, the syntax is different, for "addListener" in YUI3 is "YUI.on"

              4. Hence, the effort to migrate from YUI 2 (year 2007) to YUI 3 then has to impact cf files which are important components of CF.

              5. This is to say this issue also impacts cftree, cfajax,cfautosuggest, cfcalendar and cfmenu.

               

              We are considering in creating our own tags (cf_) to replace these features fully as we do not see a easy patch for this.

               

              Do, also, note that ColdFusion is using other script frameworks like (EXTJS version 4.2 even though EXTJS is currently in version 6).

               

              At the same time, also it uses jQuery and jQuery UI. jQuery is outdated as well but that is an easy replacement you can do.

               

              We truly believe Coldfusion needs to centralize all the scripts and prevent mix up of frameworks and so migrations like this are easier to do. For now, we are better off not withou using UI gadgets that are coming out of the box from CF. CF 12 needs for sure consider this nightmare of scripting and do a solely partnership with EXT JS for example.

               

              Hope the above clarifies.

              • 4. Re: Acunetix Web Vulnerability Scanner 10.0 deems the yui javascript included in CF 11 as vulnerable
                Steve Sommers Level 4

                The cf_ replacement idea is something we played around with in the past for a different issue but we found it time consuming and too difficult to support. If you go this route, hopefully you'll have better luck. The route we chose was to not use any CF tags that generate client side javascript. We instead write all the client side stuff ourselves using whatever libraries we decide to standardize on; not what Adobe decides on.