<<< Date Index >>>     <<< Thread Index >>>

yet more XSS in older versions of ColdFusion



This only affects ColdFusion versions 5 and below. It does not affect CFMX. 
This is similar to previously reported XSS issues with CF, but not identical to 
any that I have seen reported.

Cold Fusion has a "feature" that allows a developer to add validation to HTML 
forms by using specially named form fields. For example:

  <form method="POST" action="x.cfm">
     <input name="foo">
     <input type="hidden" name="foo_required" value="You must enter something">
     ....
  </form>

Notice the magic "_required" tacked onto the end of that second input. If the 
form is submitted with the "foo" parameter missing or empty, then the value of 
foo_required ("You must enter something") will be displayed back to the user. 

Note that this is an automatic feature of the server; it does not involve any 
code being written in "x.cfm" to do any validation. This only happens with POST 
requests, not GET.

The error messages displayed are vulnerable to XSS. Any HTML or javascript 
provided will be echoed directly back to the client, as-is.

Any website can create a form that points to the target website, and embeds 
harmful script, and then use some method to get legitimate users to submit the 
form.

ColdFusion allows a custom template to be provided  by the developer for these 
types of errors. For instance:

 <cferror type="validation" template="myErrorTemplate.cfm">

Unfortunately, the error handler template cannot contain any CFML code that 
could be used to sanitize the error messages. It can only contain static HTML, 
presumably for branding purposes, and a very basic subset of CFML variables for 
telling the engine where in the HTML to display the error messages.

The workaround is to create an error template that does not attempt to display 
the client-supplied error messages in any way, but truly contains only static 
HTML.

This effectively renders the validation "feature" of ColdFusion useless, but it 
is of questionable value anyway.