10 Replies Latest reply on Jun 5, 2007 10:22 AM by insuractive

    CFMX 6.1 and Cross-Site Scripting via URL

    ratkiller Level 1
      I hav been trying to block a vulnerability on our site that was reported by our scanning software.
      The example they gave was:
      http:www.ourSite.com//index.cfm?fuseaction=shoppingCart.landingPage&block=>'><script>alert (11799913.8357)</script>&CFID=11381673&CFTOKEN=a619bacd140fcfd4
      So that the '<scrript>alert(11799913.8357)</script>' part of the url triggers the Alert popup, which - I guess means that the site is vulnerable for something more nasty to be injected.
      I have code to deal with url variables beling cleaned up in the application.cfm file, but nothing seems to block this bugger. Anyone else been down this path??