Resolving security vulnerability
Hi All, I am using input hidden fields for some CGI variables. The security scan has issued 'information leakage' threat. These variables are defined in a file and the file is included in various places. What is the best way to resolve this vulnerability? Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352852 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Resolving security vulnerability
Hi I created a template that checks variables against threats and then use a collection=#form# cfloop that tests all form variables including the hidden fields against the threats. It solved that particular PCI security compliance check. rob On 4 Oct 2012 at 9:57, fun and learning wrote: Hi All, I am using input hidden fields for some CGI variables. The security scan has issued 'information leakage' threat. These variables are defined in a file and the file is included in various places. What is the best way to resolve this vulnerability? Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352853 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Resolving security vulnerability
what information is passed around in the hidden fields, is it anything that could be used to hijack sessions, get into users accounts or personal details etc ? On Thu, Oct 4, 2012 at 3:11 PM, Rob Voyle robvo...@voyle.com wrote: Hi I created a template that checks variables against threats and then use a collection=#form# cfloop that tests all form variables including the hidden fields against the threats. It solved that particular PCI security compliance check. rob On 4 Oct 2012 at 9:57, fun and learning wrote: Hi All, I am using input hidden fields for some CGI variables. The security scan has issued 'information leakage' threat. These variables are defined in a file and the file is included in various places. What is the best way to resolve this vulnerability? Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352854 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Resolving security vulnerability
what information is passed around in the hidden fields, is it anything that could be used to hijack sessions, get into users accounts or personal details etc ? On Thu, Oct 4, 2012 at 3:11 PM, Rob Voyle robvo...@voyle.com wrote: It is remotehost,remoteaddress ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352855 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Resolving security vulnerability
move it into a session variable instead and that will solve that issue. On Thu, Oct 4, 2012 at 4:05 PM, fun and learning funandlrnn...@gmail.comwrote: what information is passed around in the hidden fields, is it anything that could be used to hijack sessions, get into users accounts or personal details etc ? On Thu, Oct 4, 2012 at 3:11 PM, Rob Voyle robvo...@voyle.com wrote: It is remotehost,remoteaddress ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352856 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Resolving security vulnerability
If you are doing something like this: input type=hidden name=ip value=#cgi.remote_addr# / and cgi.remote_addr is resolving to an internal IP such as 10.x.x.x or 192.168.x.x due to a proxy or load balancer then you are disclosing the internal IP of a computer on your network. Thus your PCI scan is saying you are leaking that info. In most cases the value you want is the actual remote user's IP address, then the proxy or load balancer will send that along in the X-Forwarded-For header (Which you can access as GetHttpRequestData().headers[X-Forwarded-For]). If you really want to pass that info, you could also encrypt it and pass that value, just be sure to validate and sanitize it as well. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Oct 4, 2012 at 9:57 AM, fun and learning funandlrnn...@gmail.comwrote: Hi All, I am using input hidden fields for some CGI variables. The security scan has issued 'information leakage' threat. These variables are defined in a file and the file is included in various places. What is the best way to resolve this vulnerability? Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352857 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
