> I haven't done Coldfusion since CF4, however recently have been tasked to > look at a CF7MX appilication that has 3 security > issues they are looking to fix. > > 1. Cross Site Scripting - I believe I have this one figured out using the > Admin Pannel's "Enable global script protection" > 2. Format String Injection > 3. Parameter Based Buffer Overflow > > I have been able to find generalized information on the other two issues, but > nothing as it relates to CF itself. Will the "Enable > global script protection" fix these other two as well or should I be looking > elsewhere? Everything I am finding has to do with SQL > injection and not Format String Injection, and I'm finding nothing on > Parameter Based Buffer Overflow.
First, no, enabling global script protection will not fix all three issues. In fact, it's not guaranteed to fix XSS issues; although it may block many XSS attacks, it doesn't prevent XSS attacks generally, it just filters data for known XSS attack strings. XSS attacks occur when an attacker can send client-side executable code (typically JavaScript, but it could be anything else that an HTML page can tell a local computer to do) to your server, and your server stores that and later delivers it to other users. The attack isn't really targeting the server specifically, but rather those other users. The other two things are attacks on your server, and are basically similar to SQL injection: the attacker sends a value that your code takes and passes directly to a function. XSS filtering has nothing to do with them. For example, let's say you have a line of code like this: <cfinclude template="#form.nextpage#.cfm"> An attacker could inject a value there, because you're taking data directly from the browser and using it to do something. Now, that specific attack wouldn't be very helpful to an attacker in most cases, but it shows you what I mean, I guess. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353198 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
