cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

CFMX 6.1 and Cross-Site Scripting via URL

Guest
Jun 04, 2007 Jun 04, 2007

Copy link to clipboard

Copied

I hav been trying to block a vulnerability on our site that was reported by our scanning software.
The example they gave was:
http:www.ourSite.com//index.cfm?fuseaction=shoppingCart.landingPage&block=>'><script>alert(11799913.8357)</script>&CFID=11381673&CFTOKEN=a619bacd140fcfd4
So that the '<scrript>alert(11799913.8357)</script>' part of the url triggers the Alert popup, which - I guess means that the site is vulnerable for something more nasty to be injected.
I have code to deal with url variables beling cleaned up in the application.cfm file, but nothing seems to block this bugger. Anyone else been down this path??
TOPICS
Advanced techniques

Views

844

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 10 Replies 10
latest latest Jump to latest reply
Newsgroup_User
LEGEND ,
Jun 04, 2007 Jun 04, 2007

Copy link to clipboard

Copied

ratkiller wrote:
> I hav been trying to block a vulnerability on our site that was reported by our
> scanning software.
> The example they gave was:
>
> http:www.ourSite.com//index.cfm?fuseaction=shoppingCart.landingPage&block=>'><sc
> ript>alert(11799913.8357)</script>&CFID=11381673&CFTOKEN=a619bacd140fcfd4
> So that the '<scrript>alert(11799913.8357)</script>' part of the url triggers
> the Alert popup, which - I guess means that the site is vulnerable for
> something more nasty to be injected.
> I have code to deal with url variables beling cleaned up in the
> application.cfm file, but nothing seems to block this bugger. Anyone else been
> down this path??
>
What version of CF are you on? The latest version has a cross scripting
blocking feature in the administrator.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dan_Bracuk
LEGEND ,
Jun 04, 2007 Jun 04, 2007

Copy link to clipboard

Copied

htmlcodeformat() or htmleditformat()

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 04, 2007 Jun 04, 2007

Copy link to clipboard

Copied

version is 6.1 as in my post title.
htmlcodeformat() or htmleditformat() will not work, event happens before chance to throw code at it... try it in your site url and see.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Jun 04, 2007 Jun 04, 2007

Copy link to clipboard

Copied

have you tried the cf_inputfilter custom tag?
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_17502
http://download.macromedia.com/pub/security/coldfusion/all_versions/inputfilter.zip
HTH
--
Tim Carley
www.recfusion.com
info@NOSPAMINGrecfusion.com

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 04, 2007 Jun 04, 2007

Copy link to clipboard

Copied

CF_inputfilter no good for this, that is for forms inputs and links, not for something injected into browser url by hand. I think I need to find some javascript that blocks url-injected scripts. I'm gonna play with this bit next, looks close to what I need...
http://userjs.org/scripts/browser/enhancements/safe-alert
Thanks for the suggestion tho.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Jun 04, 2007 Jun 04, 2007

Copy link to clipboard

Copied

<cf_inputFilter
scopes = "[FORM][,COOKIE][,URL]"
chars = "list_of_chars"
tags = "ALL|list_of_tags">

it works for URLs, but, do whatever you need to get there.
--
Tim Carley
www.recfusion.com
info@NOSPAMINGrecfusion.com

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 04, 2007 Jun 04, 2007

Copy link to clipboard

Copied

In Response To Newsgroup_User
thanks for the info, I will try it. So far thos this seems to trigger the alert box BEFORE any chance to manipulate url vars. I'll post back my results.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 04, 2007 Jun 04, 2007

Copy link to clipboard

Copied

I tried cf_inputfilter, did not work for this,
<cf_inputFilter scopes = "URL" tags = "ALL">

also i tried the javascript bit at http://userjs.org/scripts/browser/enhancements/safe-alert, no luck with either.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
insuractive
Advocate ,
Jun 05, 2007 Jun 05, 2007

Copy link to clipboard

Copied

How are you using the variable "block"? It seems like, you should be able to put some code in the application.cfc / application.cfm file that filters the values of the variables passed via URL. I'm not that familiar with cf_inputfilter, but it seems like as long as you are using it (or a similar UDF - check cftips.com?) before the variable "block" is placed in the HTML code it should filter it out for you.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
insuractive
Advocate ,
Jun 05, 2007 Jun 05, 2007

Copy link to clipboard

Copied

LATEST
>thanks for the info, I will try it. So far thos this seems to trigger the alert box >BEFORE any chance to manipulate url vars. I'll post back my results

That's not actually possible, since the alert() is a javascript function (i.e. runs on the browser) and your code is server side (i.e. runs first). What's more likely is that your adding your filtering code too late in the application process flow.

Take a look in your HTML code for your compiled page and see where your alert() box is being inserted. It seems probable that your variable may be called from an include or an application file before it gets to your template (especially probable if you are using fusebox).

Trackdown where your variable is being used and then put your filter BEFORE that in the CF code.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices