Adobe ColdFusion 验证功能 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195017 漏洞类型 跨站脚本
发布时间 2006-05-15 更新时间 2006-05-16
CVE编号 CVE-2006-2364 CNNVD-ID CNNVD-200605-263
漏洞平台 N/A CVSS评分 5.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2006050091
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-263
|漏洞详情
MacromediaColdFusion5及之前版本的验证功能存在跨站脚本攻击(XSS)漏洞。远程攻击者可以在关联的标准字段缺少或留空时,借助在出错信息中出现之前未清理的"_required"字段,注入任意Web脚本或HTML。
|漏洞EXP
This only affects ColdFusion versions 5 and below. It does not affect CFMX. This is similar to previously reported XSS issues with CF, but not identical to any that I have seen reported.

Cold Fusion has a "feature" that allows a developer to add validation to HTML forms by using specially named form fields. For example:

<form method="POST" action="x.cfm">

<input name="foo">

<input type="hidden" name="foo_required" value="You must enter something">

....

</form>

Notice the magic "_required" tacked onto the end of that second input. If the form is submitted with the "foo" parameter missing or empty, then the value of foo_required ("You must enter something") will be displayed back to the user.

Note that this is an automatic feature of the server; it does not involve any code being written in "x.cfm" to do any validation. This only happens with POST requests, not GET.

The error messages displayed are vulnerable to XSS. Any HTML or javascript provided will be echoed directly back to the client, as-is.

Any website can create a form that points to the target website, and embeds harmful script, and then use some method to get legitimate users to submit the form.

ColdFusion allows a custom template to be provided  by the developer for these types of errors. For instance:

<cferror type="validation" template="myErrorTemplate.cfm">

Unfortunately, the error handler template cannot contain any CFML code that could be used to sanitize the error messages. It can only contain static HTML, presumably for branding purposes, and a very basic subset of CFML variables for telling the engine where in the HTML to display the error messages.

The workaround is to create an error template that does not attempt to display the client-supplied error messages in any way, but truly contains only static HTML.

This effectively renders the validation "feature" of ColdFusion useless, but it is of questionable value anyway.
|参考资料

来源:BID
名称:17938
链接:http://www.securityfocus.com/bid/17938
来源:BUGTRAQ
名称:20060510yetmoreXSSinolderversionsofColdFusion
链接:http://www.securityfocus.com/archive/1/433819
来源:XF
名称:coldfusion-error-message-xss(26508)
链接:http://xforce.iss.net/xforce/xfdb/26508
来源:SREASON
名称:894
链接:http://securityreason.com/securityalert/894