ColdFusion MX Cross Site Scripting vulnerability

From: Ory Segal (ORY.SEGAL@SANCTUMINC.COM)
Date: 06/18/02


From: Ory Segal <ORY.SEGAL@SANCTUMINC.COM>
To: "'WebAppSec (E-mail)'" <webappsec@securityfocus.com>, "'BugTraq (E-mail)'" <BUGTRAQ@SECURITYFOCUS.COM>, "'Penetration Testing (E-mail)'" <PEN-TEST@SECURITYFOCUS.COM>
Date: Tue, 18 Jun 2002 10:15:39 -0700



==> Macromedia ColdFusion MX Cross site scripting vulnerability <==

=> Author: Ory Segal, Sanctum Inc.

=> Release date: 18/06/2002 (vendor was notified at: 03/06/2002)

=> Vendor: Macromedia ( http://www.macromedia.com )

=> Product:
        - Macromedia ColdFusion MX (ColdFusion Server version: 6.0.0.46617)
        - Notes:
                 [1] The vulnerabilities were tested on the evaluation
version.
                 [2] The ColdFusion server was tested on Win2K (SP2) +
IIS/5.0

=> Severity: High

=> CVE candidate: Not assigned

=> Summary:
        A "Cross Site Scripting" vulnerability exists when requesting a
non-existent
        ".cfm" file.

=> Description:
        Macromedia's ColdFusion MX comes with a default 404 error page.
        This 404 error page presents the path of the file requested, and
does not filter it
        for hazardous characters, which might be used for a cross site
scripting attack.
        For example, the following request will pop-up a message containing
the current session
        cookies:

        http://CF_MX_SERVER/>alert(document.cookie)</script>.cfm

=> Solution: Patch available from the vendor's web site at:
             
http://www.macromedia.com/v1/handlers/index.cfm?ID=23047

=> Workaround:
        Change the default 404 error page associated with .cfm files, to
your
        own customized 404 error page.
                                
 <<ColdFusion_MX_CSS.txt>>