> I have recently discovered a security flaw that I have reported to the Adobe > team regarding the use of the variable cgi.host_name. > > As you know, the cgi.host_name is typically the hostname of the server or > the websites domain name. I've discovered an exploit that allows a user to > basically change this variable to anything they want for the user's current > session. This exploit could be spread across sessions in instances where a > website is caching absolute links using the cgi.host_name variable. It could > also be used to take advantage of applications that assume the cgi.host_name > variable is a constant, therefore developed applications don't take > precautions to sanitize this variable before inserting it into a database > could have issues.
While it's a good thing you're telling people about this, I'm not sure I'd categorize it as a security flaw with CF, or even a security flaw in general. CF doesn't have anything to do with creating or validating many of the CGI variables. They're provided by the browser's HTTP request headers, or by the web server. CF just uses what it's given. Of course, those values are inherently untrustworthy and should always be sanitized. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344504 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
