RE: cgi.host_name Security Exploit
> Actually, I've seen that number work on sites even in 'production' mode as well. Indeed. .:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Raymond Camden [mailto:rcam...@gmail.com] Sent: Thursday, May 19, 2011 12:10 PM To: cf-talk Subject: Re: cgi.host_name Security Exploit What about an ecommerce system that hits the test ecom system when in dev mode? If I knew your code did that, or suspected, I'd try it and use one of the many common test CC numbers, like 4111. Actually, I've seen that number work on sites even in 'production' mode as well. On Sat, May 14, 2011 at 4:51 AM, Russ Michaels wrote: > > although I can't really think how spoofing the host_name would do any harm. > In any of my apps all it does it determine whether to use live or dev > settings which would only cause an error if the host name was wrong. > > On Fri, May 13, 2011 at 10:10 PM, Jason Durham wrote: > >> >> Dave pretty much summed it up. Anybody who knows what a HOSTS file is, >> knows how to mask the server_name. :) >> >> Jason Durham >> >> >> On Fri, May 13, 2011 at 2:28 PM, Dave Watts wrote: >> >> > >> > > I have recently discovered a security flaw that I have reported to the >> > Adobe >> > > team regarding the use of the variable cgi.host_name. >> > > >> > > As you know, the cgi.host_name is typically the hostname of the server >> or >> > > the websites domain name. I've discovered an exploit that allows a user >> > to >> > > basically change this variable to anything they want for the user's >> > current >> > > session. This exploit could be spread across sessions in instances >> where >> > a >> > > website is caching absolute links using the cgi.host_name variable. It >> > could >> > > also be used to take advantage of applications that assume the >> > cgi.host_name >> > > variable is a constant, therefore developed applications don't take >> > > precautions to sanitize this variable before inserting it into a >> database >> > > could have issues. >> > >> > While it's a good thing you're telling people about this, I'm not sure >> > I'd categorize it as a security flaw with CF, or even a security flaw >> > in general. >> > >> > CF doesn't have anything to do with creating or validating many of the >> > CGI variables. They're provided by the browser's HTTP request headers, >> > or by the web server. CF just uses what it's given. Of course, those >> > values are inherently untrustworthy and should always be sanitized. >> > >> > Dave Watts, CTO, Fig Leaf Software >> > http://www.figleaf.com/ >> > http://training.figleaf.com/ >> > >> > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on >> > GSA Schedule, and provides the highest caliber vendor-authorized >> > instruction at our training centers, online, or onsite >> > >> > >> >> > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344804 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cgi.host_name Security Exploit
Agreed. Using CGI.HOST_NAME for dev/test/live switching opens you up to all sorts of abuse. Here's what I switch on: createObject( 'java', 'java.net.InetAddress' ).getLocalHost().getHostName() I have a configuration file that maps from all the known (partial) hostname matches to different tiers. This allows each developer to configure their environment how they want it (for example, enabling or disabling debugging) while still using a single codebase. It also makes it easy to configure our pre-production environment to use the same setup (for e-commerce) as our production environment, while our CI and dev/test envs all use sandbox credentials. This was, until recently, an environment control interceptor in ColdBox. We've just moved it to Clojure now so we can automatically configure all our Clojure / Scala / CFML code the same way... Sean On Thu, May 19, 2011 at 9:09 AM, Raymond Camden wrote: > What about an ecommerce system that hits the test ecom system when in > dev mode? If I knew your code did that, or suspected, I'd try it and > use one of the many common test CC numbers, like 4111. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344716 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cgi.host_name Security Exploit
What about an ecommerce system that hits the test ecom system when in dev mode? If I knew your code did that, or suspected, I'd try it and use one of the many common test CC numbers, like 4111. Actually, I've seen that number work on sites even in 'production' mode as well. On Sat, May 14, 2011 at 4:51 AM, Russ Michaels wrote: > > although I can't really think how spoofing the host_name would do any harm. > In any of my apps all it does it determine whether to use live or dev > settings which would only cause an error if the host name was wrong. > > On Fri, May 13, 2011 at 10:10 PM, Jason Durham wrote: > >> >> Dave pretty much summed it up. Anybody who knows what a HOSTS file is, >> knows how to mask the server_name. :) >> >> Jason Durham >> >> >> On Fri, May 13, 2011 at 2:28 PM, Dave Watts wrote: >> >> > >> > > I have recently discovered a security flaw that I have reported to the >> > Adobe >> > > team regarding the use of the variable cgi.host_name. >> > > >> > > As you know, the cgi.host_name is typically the hostname of the server >> or >> > > the websites domain name. I've discovered an exploit that allows a user >> > to >> > > basically change this variable to anything they want for the user's >> > current >> > > session. This exploit could be spread across sessions in instances >> where >> > a >> > > website is caching absolute links using the cgi.host_name variable. It >> > could >> > > also be used to take advantage of applications that assume the >> > cgi.host_name >> > > variable is a constant, therefore developed applications don't take >> > > precautions to sanitize this variable before inserting it into a >> database >> > > could have issues. >> > >> > While it's a good thing you're telling people about this, I'm not sure >> > I'd categorize it as a security flaw with CF, or even a security flaw >> > in general. >> > >> > CF doesn't have anything to do with creating or validating many of the >> > CGI variables. They're provided by the browser's HTTP request headers, >> > or by the web server. CF just uses what it's given. Of course, those >> > values are inherently untrustworthy and should always be sanitized. >> > >> > Dave Watts, CTO, Fig Leaf Software >> > http://www.figleaf.com/ >> > http://training.figleaf.com/ >> > >> > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on >> > GSA Schedule, and provides the highest caliber vendor-authorized >> > instruction at our training centers, online, or onsite >> > >> > >> >> > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344700 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cgi.host_name Security Exploit
although I can't really think how spoofing the host_name would do any harm. In any of my apps all it does it determine whether to use live or dev settings which would only cause an error if the host name was wrong. On Fri, May 13, 2011 at 10:10 PM, Jason Durham wrote: > > Dave pretty much summed it up. Anybody who knows what a HOSTS file is, > knows how to mask the server_name. :) > > Jason Durham > > > On Fri, May 13, 2011 at 2:28 PM, Dave Watts wrote: > > > > > > I have recently discovered a security flaw that I have reported to the > > Adobe > > > team regarding the use of the variable cgi.host_name. > > > > > > As you know, the cgi.host_name is typically the hostname of the server > or > > > the websites domain name. I've discovered an exploit that allows a user > > to > > > basically change this variable to anything they want for the user's > > current > > > session. This exploit could be spread across sessions in instances > where > > a > > > website is caching absolute links using the cgi.host_name variable. It > > could > > > also be used to take advantage of applications that assume the > > cgi.host_name > > > variable is a constant, therefore developed applications don't take > > > precautions to sanitize this variable before inserting it into a > database > > > could have issues. > > > > While it's a good thing you're telling people about this, I'm not sure > > I'd categorize it as a security flaw with CF, or even a security flaw > > in general. > > > > CF doesn't have anything to do with creating or validating many of the > > CGI variables. They're provided by the browser's HTTP request headers, > > or by the web server. CF just uses what it's given. Of course, those > > values are inherently untrustworthy and should always be sanitized. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344512 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cgi.host_name Security Exploit
Dave pretty much summed it up. Anybody who knows what a HOSTS file is, knows how to mask the server_name. :) Jason Durham On Fri, May 13, 2011 at 2:28 PM, Dave Watts wrote: > > > I have recently discovered a security flaw that I have reported to the > Adobe > > team regarding the use of the variable cgi.host_name. > > > > As you know, the cgi.host_name is typically the hostname of the server or > > the websites domain name. I've discovered an exploit that allows a user > to > > basically change this variable to anything they want for the user's > current > > session. This exploit could be spread across sessions in instances where > a > > website is caching absolute links using the cgi.host_name variable. It > could > > also be used to take advantage of applications that assume the > cgi.host_name > > variable is a constant, therefore developed applications don't take > > precautions to sanitize this variable before inserting it into a database > > could have issues. > > While it's a good thing you're telling people about this, I'm not sure > I'd categorize it as a security flaw with CF, or even a security flaw > in general. > > CF doesn't have anything to do with creating or validating many of the > CGI variables. They're provided by the browser's HTTP request headers, > or by the web server. CF just uses what it's given. Of course, those > values are inherently untrustworthy and should always be sanitized. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344506 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cgi.host_name Security Exploit
> I have recently discovered a security flaw that I have reported to the Adobe > team regarding the use of the variable cgi.host_name. > > As you know, the cgi.host_name is typically the hostname of the server or > the websites domain name. I've discovered an exploit that allows a user to > basically change this variable to anything they want for the user's current > session. This exploit could be spread across sessions in instances where a > website is caching absolute links using the cgi.host_name variable. It could > also be used to take advantage of applications that assume the cgi.host_name > variable is a constant, therefore developed applications don't take > precautions to sanitize this variable before inserting it into a database > could have issues. While it's a good thing you're telling people about this, I'm not sure I'd categorize it as a security flaw with CF, or even a security flaw in general. CF doesn't have anything to do with creating or validating many of the CGI variables. They're provided by the browser's HTTP request headers, or by the web server. CF just uses what it's given. Of course, those values are inherently untrustworthy and should always be sanitized. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344504 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
cgi.host_name Security Exploit
Greetings and Salutations My Fellow Programmers! I have recently discovered a security flaw that I have reported to the Adobe team regarding the use of the variable cgi.host_name. As you know, the cgi.host_name is typically the hostname of the server or the websites domain name. I've discovered an exploit that allows a user to basically change this variable to anything they want for the user's current session. This exploit could be spread across sessions in instances where a website is caching absolute links using the cgi.host_name variable. It could also be used to take advantage of applications that assume the cgi.host_name variable is a constant, therefore developed applications don't take precautions to sanitize this variable before inserting it into a database could have issues. Just wanted to give the community a heads up on this. :) Regards, Paul Alkema http://paulalkema.com/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344500 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
