10 Replies Latest reply on Dec 21, 2015 9:40 AM by Carl Von Stetten

    Cross Site Scripting bug with cfparam?

    Musella

      This is really strange.

      I got a message from xssposed.org that my website is vulnerable to cross site scripting. They gave me a url that a specially crafted url variable could cause a pop up alert on my website.

      I narrowed it down to cfparam.

      Create a file that just has:

      <cfparam name="video" default="1" type="integer">

      Name the file test.cfm

      Upload it and go to your website:  xxxxx.com/test.cfm?video=%22%3E%3Csvg/onload=prompt(/XSS/)%3E

      It is seen best using firefox.

       

      This website is running an old version of coldfusion  8.01  (It is for a small cancer charity that can't afford to upgrade). I also maintain a few websites on a server that is running coldfusion 10 enterprise, so I tried it there also and the same thing happens.

       

      If I replace type = "integer" with type - "any" it doesn't happen. 

      Does this happen on the current version of coldfusion?  The admin option for "enable global script protect" is enabled

        • 1. Re: Cross Site Scripting bug with cfparam?
          Musella Level 1

          I figured out what is happening.  This is bizarre.  The cfparam tag triggers an error which generates a cold fusion error page that says   The value specified, "><svg/onload=prompt(/XSS/)>", must be a valid integer.  

          When that is displayed in fireox, it executes javascript.

          Then I have site-wide error handling that switches you to the custom error page but the coldfusion error page displays for a fraction of a second, long enough to fire off that javascript.

          Any way to stop that?

          • 2. Re: Cross Site Scripting bug with cfparam?
            BKBK Adobe Community Professional & MVP

            You should in any case apply the scriptProtect security setting.

             

            In Application.cfm:

            <cfapplication scriptProtect="all">

             

            In Application.cfc:

            <cfcomponent>

                <cfset this.scriptProtect="all">

            </cfcomponent>

            • 3. Re: Cross Site Scripting bug with cfparam?
              Musella Level 1

              Thanks. but as I said above the global script protect is turned on in the administrator. I assume that means I do not have to do it in the application file also?

              • 4. Re: Cross Site Scripting bug with cfparam?
                BKBK Adobe Community Professional & MVP

                Ah, I see it now. My suggestion is equivalent to enabling scriptProtect in the Administrator. That should be enough protection against the cross-site scripting that you describe.

                • 5. Re: Cross Site Scripting bug with cfparam?
                  Musella Level 1

                  No - you missed it. Let me explain again:

                  (This happens in cf 8 and 10 - not sure if 11.  And with script protect enabled)

                  If you just have a cfparam tag with type = integer and pass it something that is not an integer, you get an error page that displays the invalid url parameter.  If that url parameter is a script. it gets executed.

                  If you have a custom error page in place, that cold fusion error page still gets sent to the browser for a fraction of a second - just long enough to execute the script - before the custom error page is displayed.

                      In the example I showed above, you can't see it in chrome but in firefox you will see an alert box show up for about a second. You may have to do it a few times to see it (or to make it easy - turn off the custom error pages and the alert stays on the screen)

                  • 6. Re: Cross Site Scripting bug with cfparam?
                    pete_freitag Adobe Community Professional

                    ScriptProtect is a very minimal XSS protection.

                     

                    The default error pages for CF10-11 should be properly encoded to prevent XSS (using encodeForHTML for example). Older versions of CF did have some issues with not properly encoding error messages in the default error template, but those were patched in security hotfixes to the best of my knowledge. Make sure you have applied all the updates.

                     

                    It is not my experience that CF's default error page will show for a second and then redirect to your own custom error page - so that is probably specific to your setup (are you talking about IIS error page perhaps).

                     

                    The way to get around this is to add a value to the "

                    1 person found this helpful
                    • 7. Re: Cross Site Scripting bug with cfparam?
                      Steve Sommers Level 4

                      The problem is that you do not have an error trap configured and you're relying on the default CF and/or web server error pages. The later CF and newer IIS (if that is your web server) has better default error pages to prevent XSS attacks like this but IMHO you still should not be relying on default error traps. Write your own, log the errors, display user friendly pages when errors occur, maybe send email alerts on certain thresholds, etc. Research CFERROR and/or application.cfc onError event.

                      • 8. Re: Cross Site Scripting bug with cfparam?
                        BKBK Adobe Community Professional & MVP

                        Musella wrote:

                         

                        No - you missed it. Let me explain again:

                        (This happens in cf 8 and 10 - not sure if 11.  And with script protect enabled)

                        If you just have a cfparam tag with type = integer and pass it something that is not an integer, you get an error page that displays the invalid url parameter.  If that url parameter is a script. it gets executed.

                        If you have a custom error page in place, that cold fusion error page still gets sent to the browser for a fraction of a second - just long enough to execute the script - before the custom error page is displayed.

                            In the example I showed above, you can't see it in chrome but in firefox you will see an alert box show up for about a second. You may have to do it a few times to see it (or to make it easy - turn off the custom error pages and the alert stays on the screen)

                        Sorry, I could only test the issue on ColdFusion 11, as it is the version I have. The result was an error ("Invalid parameter type"), and no Javascript execution.

                         

                        You should please report a bug. (For Coldfusion 10; Adobe no longer supports CF8)

                        • 9. Re: Cross Site Scripting bug with cfparam?
                          Musella Level 1

                          Thanks for the responses. Since it doesn't happen in the latest version of cold fusion, I will drop it.

                          I worked around it on my website on cf8..  it is using custom error pages but the default error page does seem to fire for a split second. Long enough for the problem.

                          I tried to make sure the server is patched but can't find version 8 patches any more.. Anyone happen to have a copy of them?  What was the last fully patched version?

                          • 10. Re: Cross Site Scripting bug with cfparam?
                            Carl Von Stetten Adobe Community Professional & MVP

                            There's a community archive of ColdFusion installers and hotfixes here: http://www.gpickin.com/cfrepo/

                             

                            -Carl V.