If you are doing something like this: <input type="hidden" name="ip" value="#cgi.remote_addr#" /> and cgi.remote_addr is resolving to an internal IP such as 10.x.x.x or 192.168.x.x due to a proxy or load balancer then you are disclosing the internal IP of a computer on your network. Thus your PCI scan is saying you are leaking that info.
In most cases the value you want is the actual remote user's IP address, then the proxy or load balancer will send that along in the X-Forwarded-For header (Which you can access as GetHttpRequestData().headers["X-Forwarded-For"]). If you really want to pass that info, you could also encrypt it and pass that value, just be sure to validate and sanitize it as well. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Oct 4, 2012 at 9:57 AM, fun and learning <funandlrnn...@gmail.com>wrote: > > Hi All, > I am using input hidden fields for some CGI variables. The security scan > has issued 'information leakage' threat. These variables are defined in a > file and the file is included in various places. What is the best way to > resolve this vulnerability? > Thanks > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352857 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
