Or just add this to your application .cfm, allaire released it a while ago.
Works great. The tag is from <cfsilent> to </cfsilent>
<cfmodule
template="customTags/inputfilter.cfm"
scopes = "FORM,COOKIE,URL"
chars = "),(,%,&,$,*,<,>,;"
tags =
"SCRIPT,OBJECT,APPLET,EMBED,FORM,LAYER,ILAYER,FRAME,IFRAME,FRAMESET,PARAM,ME
TA,TABLE,TD,TH,TR,HEAD,BODY,FONT,A,IMG,B,U,I,OL,UL">
<cfsilent>
<!---
Template: inputfilter.cfm
Author: Peter Muzila
Source Control: $Header: $
Description:
The cf_inputFilter tag removes characters or tags from all
fields coming from the
specified scopes (form,cookie, or url). This tag can be
placed in the Application.cfm
file to filter out any input coming thru these scopes to any
of the templates belonging
to the application.cfm file.
This tag can be executed only with CF 4.5 or higher
Usage:
<cf_inputFilter
scopes = "[FORM][,COOKIE][,URL]"
chars = "list_of_chars"
tags = "ALL|list_of_tags"
>
Attributes:
scopes (string list, required) - comma-delimited list of
input scopes to be filtered
chars (string, optional) - string containing set of
characters to be filtered out from the
input scope
tags (string list, optional) - comma-delimited list of tag
names to be filtered out from the
input scope
--->
<!--- attributes validation --->
<cfparam name="attributes.scopes">
<cfparam name="attributes.chars" default="">
<cfparam name="attributes.tags" default="">
<cfscript>
// prepare reg expression for the tag search
reTags = "" ;
if ( attributes.tags eq "ALL" )
// re for any tag - "<*>"
reTags = "<[^>]*>" ;
else if ( attributes.tags neq "" )
// re for any of the listed tags - "<tag1|tag2|...|tagN>"
reTags = "</?(#ListChangeDelims(attributes.tags, '|', ','
)#)[^>]*>" ;
// get comma-delimited list of chars from char set
charList = attributes.chars;
</cfscript>
<cfloop list="#attributes.scopes#" index="scopeName">
<cfif not findnocase("multipart/form-data",cgi.CONTENT_TYPE)>
<cfscript>
// get the handle for the scope (form, cookie, url)
s = Evaluate( scopeName ) ;
// scroll thru fields in the scope and handle only
simple values
for ( field in s )
if ( IsSimpleValue( s[field] ) ) {
// replace tags
if ( reTags neq '' )
s[field] = REReplace(
s[field], reTags, "", "ALL" ) ;
// replace chars
if ( charList neq '' )
s[field] = ReplaceList(
s[field], charList, "" ) ;
}
</cfscript>
</cfif>
</cfloop>
</cfsilent>
Robert Everland III
Web Developer Extraordinaire
Dixon Ticonderoga Company
http://www.dixonusa.com
-----Original Message-----
From: Trusz, Andrew [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 27, 2002 7:12 AM
To: CF-Talk
Subject: RE: security: attacks through submission of script
Since nobody else seems to have responded, I'll give it a quick pass. Data
from forms needs to be validated. Regular expressions on the server side do
this nicely (including dealing with sql insertion attack), if you construct
them carefully. You can also check for the referring page to be sure it
comes from your server. Yes, that means one set of validating scripts for
the client before submission and another on the action page to filter
attacks. Slower? A little. Safer? Oh yes!
Javascript is indeed generally safe in and of itself. Most of the egregious
security holes have long since been patched. But that doesn't mean
proprietary implementations won't open new holes. The major holes now are in
html email. Attacks through forms don't usually use javascript, other
scripts or commands are sent thru the forms.
For a quick fix you might yu might look at "Hack Proofing Your Web
Application", Jeff Forristal and Julie Traxler, Syngress Press. And for
hacking itself, the old reliable "Hacking Exposed" which may now be in a 3
edition from Osborne. Lots of good web references as well, but watch the
source.
andy
-----Original Message-----
From: Cornillon, Matthieu [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 26, 2002 4:09 PM
To: CF-Talk
Subject: security: attacks through submission of script
Hi. I am evaluating the security of my application as regards malicious
attack via manipulation of the Cookie, URL, or Form variables. I know about
the business with submission of unauthorized SQL statements, and have
already screened for it. But then there is the issue of unauthorized script
insertion. For example, if a form asks for a value (FormVar) and the action
page displays that value (<CFOUTPUT>#Form.FormVar#</CFOUTPUT>), the educated
user can submit things other than those intended, causing interesting
results. If they enter <font color="red">Check this out!</font>, the next
page will display Check this out! in red letters. I have also successfully
passed JavaScript like this. Going on my basic (and hopefully correct)
assumption that JavaScript is set up so that it cannot (a) harm the user's
machine or (b) harm the server, I am not going to worry about this, since
the worst a user will do is pass themselves a JavaScript routine that
produces an error.
That is fine for client-side scripting, but I am worried about server-side
scripting. Submission of ColdFusion code through these variables shouldn't
matter, since it won't appear in the template until after ColdFusion
processing has occurred, meaning that the inserted code itself will not be
processed. Are there any other scripting languages, though, that would be
evaluated on the server side AFTER the CFAS processes the template?
Thanks,
Matthieu
______________________________________________________________________
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
