exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

coldfusion.txt

coldfusion.txt
Posted Sep 25, 2003
Authored by T.Hara | Site scan-web.com

Macromedia's ColdFusion is susceptible to a cross site scripting attack under certain conditions.

tags | advisory, xss
SHA-256 | a735d602394b50e656bc281563c0a6fa0a3b76a6ea07c95001ca5055469a229a

coldfusion.txt

Change Mirror Download

ColdFusion cross-site scripting security vulnerability of an error page

----------------------------------------------------------------------

--> The outline of vulnerability

Macromedia's ColdFusion can display the various information about an
error at the time of error occurred.
There is information transmitted from a client machine like "Referer".
ColdFusion displays the information as it is.
An attacker can execute a script on victim's browser by preparing for
WEB the link which embedded arbitrary scripts.


--> User's risk

The user who accesses a vulnerable server has a risk that forced to
execute the arbitrary javascript and HTML code which the attacker
embedded.
Risks of being assumed are below.
session high-jack ( by stolen cookie )
page defacement by embedded html tags.
etc.
It is insecure to store critical information ( such as personal
information ) without encryption in cookie. Such a poor
application will make risk bigger when session-highjack occurs.


--> The range of influence

This problem is contained in the error page of all versions of
ColdFusion.
This problem does not occurred when ColdFusion's error page does not
include the contents transmitted from client machines ( such as "Referer"
).


--> About vulnerability

In Cold Fusion, an error screen is displayed at the time of error
occurred.
It is possible to display the contents transmitted from the client
machine (#error.HTTPReferer#) as it is.
When the code for an attack is contained in the contents to display, a
cross-site scripting attack can be executed.

For example, the script will be executed when the script for an attack
is embedded by "Referer" in #error.HTTPReferer#, and an error screen is
displayed.
The same problem exists in the #error.QueryString# .


--> Sample attack

User using Cold Fusion of the site A (www.CFtestA.com).
The method of stealing cookie is bellow.

1. An attacker creates the page B (www.atack_testA.com/cf.html) with the
link to the site A.
2. Next, after considering the invitation complaint which is easy to
guide victims, such as present collection, to another page, the link to
Page B is attached.
A code for an attack is embedded into this link, that code remains as
"Referer" information as it is, and when it clicks the link to the site
A which has a victim in Page B, it will be executed.
Example: <a href ="http://www.atack_testA.com/cf.html?<script>alert
(document.cookie) </script>"> GET PRIZE! HERE'S PRIZE LINKS!</a>

When cookie is published in site A, it can steal by this method.
In addition, cf.html does not need to have the mechanisms (CGI etc.).
The code below "?" is disregarded. cf.html is only displayed.
However, an attack becomes possible in order for "?" or subsequent ones
to remain in "Referer" as it is.
By changing the code embedded by the same method, it becomes possible to
execute arbitrary codes.


--> Solution

The patch corresponding to this problem is distributed at Macromedia.
A patch can come to hand by Following URL.
URL of http://www.macromedia.com/devnet/security/security_zone/mpsb03-06.
html
Moreover, you should not use an error page which displays the contents
transmitted from a client machine as it is irrespective of the existence
of patch application.
Although it may be necessity at the debugging time, it is dangerous with
real operation environment.

T.Hara , Scan Security Wire http://www.scan-web.com/ .
http://www.scan-web.com/jvi/index.cgi


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close