cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Browse text file within CF to determine if there are any <scripts>'s inside

PHRED-SE
Participant ,
Jan 19, 2010 Jan 19, 2010

Copy link to clipboard

Copied

We have run into a security situation where we need to browse through all text files that users are going to load into an Attachments directory using <cffile> before we allow anyone to have access to these files because of the danger of cross site scripting (xss). 

We have tested the potential for something like “<cfscript> document.location.replace(“http://www.badsite.com”) </cfscript> being run within a browser when the user opens the file in their browser moving the user to this site, which could open them up to downloading a Trojan onto their PC.  This just happened to him a couple of few weeks ago and his hard drive was destroyed.    (I suppose there is a way to block xss within IE, FireFox, etc., but I can’t count on every user having xss blocked so I have to do it for them.)

Although I haven’t done it yet, it appears that you can use the <cfloop> function to open a file and loop through it line by line so that you could process this file in CF 8 to ensure that “<cfscript>” is not contained anywhere within the file.  I’m going to do a proof of concept later today or tomorrow.  If this works, then I’m OK for all my systems that run CF8 or CF9, but that is it. 

What I really need is a way that would be compatible with previous versions of CF as well.  My first instinct was to try something with the FileOpen function within <cfscript> but there does not seem to be anyway to easily parse a file once I have it open in <cfscript>.  I’ve done a ton of JavaScript code and I know that <cfscript> is somewhat of a subset of that, but the documentation I’ve found on <cfscript> is so poorly written as to be almost useless.  (Forta’s CF8 books give it very short shrift even in the downloadable PDF.)

Does anyone know of a third way to do this that would be compatible with CF6 through CF9???

Thank you in advance for your suggestions.

:-}

Len

TOPICS
Advanced techniques

Views

1.3K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 7 Replies 7
latest latest Jump to latest reply
Dan_Bracuk
LEGEND ,
Jan 19, 2010 Jan 19, 2010

Copy link to clipboard

Copied

First, cfscript and script are completely different.  The former runs cfml on the server and the latter runs js or something on the client.

Reading every file and looking for script tags seems pretty simple.  cfdirectory gets you started.  cffile is next.  Finally, there is that handy dandy contains function in cf.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
-__cfSearching__-
Valorous Hero ,
Jan 19, 2010 Jan 19, 2010

Copy link to clipboard

Copied

use the <cfloop> function to open a file and loop

through it line by line so that you could process this file

in CF 8

You can do that in earlier versions as well. It just requires a few extra steps. Read the file into memory. Then loop through it like a list, delimited by new line characters (ie chr(10) and/or chr(13)). It is slightly less efficient that the CF8 method, as you are reading the whole file into memory at once. But the overall concept is the same.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Joshua_Cyr
Engaged ,
Jan 20, 2010 Jan 20, 2010

Copy link to clipboard

Copied

In Response To -__cfSearching__-

You may want to check out http://portcullis.riaforge.org/  it is an open source project that will scan any number of security vulnerabilities.  It doesn't directly scan files but I am sure you can use that code to create a new function and pass in the content of the file to it.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
PHRED-SE
Participant ,
Jan 20, 2010 Jan 20, 2010

Copy link to clipboard

Copied

In Response To Joshua_Cyr

Joshua,

     Thanks for the suggestion.  I've already adapted code within Portcullis to build a URL Validator; i.e., detect semicolons and < and > that have been inserteing in an URL.  I suppose I could work something out, but I think combining <cfloop> using the CF8 file read mode and the cf REreplace and FindNoCase functions will enable me to do what I need to do -- detect the presence of all possible variants on "<script>" burried within a text file.  While the cffile option would probably work with small text files, it wouldn't be a satisfactory solution for files larger than probably 100k.  The bottom line will have to be that I just go forward using CF8 & CF9 and forget about backward compatibility. 

     Thanks to everyone for your suggestions.

:-}}}

Len 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
-__cfSearching__-
Valorous Hero ,
Jan 20, 2010 Jan 20, 2010

Copy link to clipboard

Copied

In Response To PHRED-SE

The bottom

line will have to be that I just go forward using CF8 &

CF9 and forget about backward compatibility. 

You can get similar functionality under MX7 using a bit of java. But it is strictly do it yourself. It is not difficult, but it would require createObject() access.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Steve Sommers
Advocate ,
Jan 20, 2010 Jan 20, 2010

Copy link to clipboard

Copied

You are basically trying to prevent cross site scripting and it is a little more complicated then simply looking for the <script> tags. There are a few tags that can be tweaked to produce the same result. Here are a couple examples starting with your original example:

<script>document.location.replace("http://badsite.com")</script>

<a href="#" onmouseover="http://badsite.com">Whatever you do, don't put the mouse here!</a>

<img src="javascript:document.location.replace('http://badsite.com')" />

There are others. I had to write my own CFX tag to filter this crap. My code was based on the Legitima HTML Parser (http://www.legitima.com) but I have no idea if they are even in business anymore (I'm looking at comments in code that is almost 10 years old).

Anyway, I only mention this so you will realize that the project might be much bigger than you think. I would try Googling "coldfusion safe html filter" or other variations. I would not be surprised if there is a JAVA component out there that does this sort of stuff.

Also keep in mind that depending on how the data is presented, it may be possible to URL or HTML encode the < and > signs and the net result might unwanted execution of script code.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
PHRED-SE
Participant ,
Jan 22, 2010 Jan 22, 2010

Copy link to clipboard

Copied

LATEST
In Response To Steve Sommers

You're right when you way that there are always going to be new things out there.  Since I can barely spell "xss", I'm deeply concerned that some new thing is going to pop that I have no idea about and since I have truly taken a simplistic view of this matter, I'll look into the lagitma.com offering.  Would you be willing to share the CFX tag that you wrote?

Onto a more pressing matter.  I have written a CFC that parses the file in my simplistic fashion and returns either pass or fail.  If it fails, I use a <cfile> delete to remove the file from the server where it has been uploaded using <cfile>.  This call fails because the file "is locked by another user" for some amount of time, which I haven't been able to determine.  I'm assuming that CF (<cfloop>) is holding onto it, but I don't know that. 

I have not been able to find a complete description of the <cfloop> file function -- not in Forta's CF8 book or online.  I have found bits and pieces things such as "From" and "Char" methods that exist.  I don't know whether these are undocumented feathers or if they came out after the book was published.  So here is my question.  What I’m wondering is if there is a way to close the file within the <cfloop> so that the file will be released as soon as the <cfloop> finishes.

Thanks again to all of your who have pitched in here.

:-}}}

Len

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices