they ( Macromedia ) downplayed this.. http://nothackers.org/pipermail/0day/2003-June/000028.html http://nothackers.org/pipermail/0day/2003-June/000029.html http://nothackers.org/pipermail/0day/2003-June/000030.html as i am sure they will do with yours, as they think XSS is not a security issue.
D. Werner CTO E2 Labs Infosec http://e2-labs.com ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 23, 2003 10:39 AM Subject: [Full-Disclosure] ColdFusion cross-site scripting security vulnerability of an error page > ColdFusion cross-site scripting security vulnerability of an error page > > >> The outline of vulnerability > > Macromedia's ColdFusion can display the various information about an > error at the time of error occurred. > There is information transmitted from a client machine like "Referer". > ColdFusion displays the information as it is. > An attacker can execute a script on victim's browser by preparing for > WEB the link which embedded arbitrary scripts. > > > >> User's risk > > The user who accesses a vulnerable server has a risk that forced to > execute the arbitrary javascript and HTML code which the attacker > embedded. > Risks of being assumed are below. > session high-jack ( by stolen cookie ) > page defacement by embedded html tags. > etc. > It is insecure to store critical information ( such as personal > information ) without encryption in cookie. Such a poor > application will make risk bigger when session-highjack occurs. > > > >> The range of influence > > This problem is contained in the error page of all versions of > ColdFusion. > This problem does not occurred when ColdFusion's error page does not > include the contents transmitted from client machines ( such as "Referer" > ). > > > >> About vulnerability > > In Cold Fusion, an error screen is displayed at the time of error > occurred. > It is possible to display the contents transmitted from the client > machine (#error.HTTPReferer#) as it is. > When the code for an attack is contained in the contents to display, a > cross-site scripting attack can be executed. > > For example, the script will be executed when the script for an attack > is embedded by "Referer" in #error.HTTPReferer#, and an error screen is > displayed. > The same problem exists in the #error.QueryString# . > > > >> Sample attack > > User using Cold Fusion of the site A (www.CFtestA.com). > The method of stealing cookie is bellow. > > 1. An attacker creates the page B (www.atack_testA.com/cf.html) with the > link to the site A. > 2. Next, after considering the invitation complaint which is easy to > guide victims, such as present collection, to another page, the link to > Page B is attached. > A code for an attack is embedded into this link, that code remains as > "Referer" information as it is, and when it clicks the link to the site > A which has a victim in Page B, it will be executed. > Example: <a href ="http://www.atack_testA.com/cf.html?<script>alert > (document.cookie) </script>"> GET PRIZE! HERE'S PRIZE LINKS!</a> > > When cookie is published in site A, it can steal by this method. > In addition, cf.html does not need to have the mechanisms (CGI etc.). > The code below "?" is disregarded. cf.html is only displayed. > However, an attack becomes possible in order for "?" or subsequent ones > to remain in "Referer" as it is. > By changing the code embedded by the same method, it becomes possible to > execute arbitrary codes. > > > >> Solution > > The patch corresponding to this problem is distributed at Macromedia. > A patch can come to hand by Following URL. > URL of http://www.macromedia.com/devnet/security/security_zone/mpsb03-06. > html > Moreover, you should not use an error page which displays the contents > transmitted from a client machine as it is irrespective of the existence > of patch application. > Although it may be necessity at the debugging time, it is dangerous with > real operation environment. > > T.Hara , Scan Security Wire http://www.scan-web.com/ . > http://www.scan-web.com/jvi/index.cgi > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
