This same vulnerability seems to be partially evident for CFServer(at least
version 4.5).
Using the following code:
default.cfm
-----------
<html>
<head>
<title>CFML Cross-site Scripting Vulnerability Testing</title>
<script language="javascript" src="extra.js"></script>
</head>
</html>
extra.js
---------
/* does nothing */
function foo() {
var bar="foo";
return bar;
}
if you do a reqest in your browser for
http://domain/default.cfm/<script>alert(document.domain)
You can see that the JS is at least paritally interpreted because it shows
up in the IE errors. If viewed in netscape, you see that there is a syntax
error with the first tag(in this case <html>).
IE Error:
Line: 4
Char: 1
Error: Syntax Error
Code: 0
URL: http://domain/default.cfm/<script>alert(document.domain)
NS 4.7 Error:
JavaScript Error:
http://domain/default.cfm/extra.js,
line 3:
syntax error.
<html>
^
Quite odd results actually. It only seems to work when you call out for an
external javascript file.
Justin Cook
Work: [EMAIL PROTECTED]
Home: [EMAIL PROTECTED] / [EMAIL PROTECTED]
