Sep 1

Cross site scripting in Coldfusion

ColdFusion9 Add comments
SocialTwist Tell-a-Friend

Today I was trying to play with galleon (open source forum by Raymond Camden). I just installed in my CF9 web root. I noticed two things those are worth enough to share as a blog entry.First thing, I got a error while I configured in CF9. The error in image.cfc because of new keyword "throw" introduced in CF9. I just renamed the function & function calls. It is working fine.

Second thing, I tried to embed YouTube video code in a post, but got object, embed html tag replaced with InvalidTag string.First I thought it is issue in galleon forum (DP_ParseBBML.cfm in tags folder). Even after commented every thing in DP_ParseBBML.cfm, I got the same issue. As usual I went to google. I found scriptprotect="all" in my cfapplication tag is reason for this issue.  

<object width="425" height="344"><param name="movie"
value="http://www.youtube.com/v/MBocBdDw7g0&hl=en&fs=1&"></param><param
name="allowFullScreen" value="true"></param><param
name="allowscriptaccess" value="always"></param><embed
src="http://www.youtube.com/v/MBocBdDw7g0&hl=en&fs=1&"
type="application/x-shockwave-flash" allowscriptaccess="always"
allowfullscreen="true" width="425"
height="344"></embed></object>

converted into 

<InvalidTag width="425" height="344"><param
name="movie"
value="http://www.youtube.com/v/MBocBdDw7g0&hl=en&fs=1&"></param><param
name="allowFullScreen" value="true"></param><param
name="allowscriptaccess" value="always"></param><InvalidTag src="http://www.youtube.com/v/MBocBdDw7g0&hl=en&fs=1&"
type="application/x-shockwave-flash" allowscriptaccess="always"
allowfullscreen="true" width="425"
height="344"></embed></object>

whenever you see "invalidTag" , check your Application.cfc or application.cfm
this.scriptProtect = "all"; <!--- In application.cfc --->
or
<cfapplication .. scriptProtect = "all">

scriptprotect variable introduced in CFMX to avoid XSS (Cross site scripting). XSS attacks are written in a client-side scripting language, most often a dialect of ECMAScript (e.g. JavaScript, JScript), sometimes including some markup language such as HTML or XHTML. XSS sometimes affects Sun Microsystems's Java, Microsoft's ActiveX and VBScript, Adobe's Flash and ActionScript, and RSS and Atom feeds. (Thank WIKI). Often attackers will inject these techniques into a vulnerable application to fool a use. For example, hacker can insert JS into your site, Which navigate your user to their site.

<script type="text/javascript">
window.location = "http://www.hacker_site.com/"
</script>

XSS rules are stored in neo-security.xml  in lib folder of coldfusion installation. Part of default neo-security.xml, which converts embed, object tags into InvalidTag.

<var name="CrossSiteScriptPatterns">
   <struct type="coldfusion.server.ConfigMap">
       <var name="&lt;\s*(object|embed|script|applet|meta)">
           <string>&lt;InvalidTag</string>
        </var>
   </struct>
</var>

you can define your own rules here & restart CF server & secure your application as per your need.

Cross site scripting in Coldfusion

del.icio.us Digg StumbleUpon Facebook Technorati Fav newsvine reddit BlinkList BlogMarks

4 responses to “Cross site scripting in Coldfusion”

  1. Raymond Camden
    Raymond Camden Says:
    Sep 1, 2009 at 2:22 PM Actually, this was fixed July 24th. You can see it in the readme.txt.
  2. CF Mitrah
    CF Mitrah Says:
    Sep 2, 2009 at 1:50 AM @Ray, I point out a wrong issue. I worked with my old downloaded version.
  3. Betty
    Betty Says:
    Jun 4, 2010 at 3:57 AM wow
  4. Steve Luitingq
    Steve Luitingq Says:
    Jul 15, 2010 at 5:31 PM Thank you so much for this post. I had the same problem when installing ckfinder and wouldn't have figured this out in my lifetime.

Leave a Reply

*** Please do not post spam. All comments require moderation,
So it may take some time to post to this blog! ***





Powered by Mango Blog. Design and Icons by N.Design Studio