ID CVE-2007-0817Type cveReporter cve@mitre.orgModified 2018-10-16T16:34:00
Description
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web server allows remote attackers to inject arbitrary HTML or web script via the User-Agent HTTP header, which is not sanitized before being displayed in an error page.
{"id": "CVE-2007-0817", "bulletinFamily": "NVD", "title": "CVE-2007-0817", "description": "Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web server allows remote attackers to inject arbitrary HTML or web script via the User-Agent HTTP header, which is not sanitized before being displayed in an error page.", "published": "2007-02-07T11:28:00", "modified": "2018-10-16T16:34:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0817", "reporter": "cve@mitre.org", "references": ["http://www.securitytracker.com/id?1017645", "http://www.securityfocus.com/archive/1/459178/100/0/threaded", "http://www.adobe.com/support/security/bulletins/apsb07-04.html", "http://secunia.com/advisories/24115", "http://osvdb.org/32120", "http://www.vupen.com/english/advisories/2007/0593", "http://www.securityfocus.com/bid/22401"], "cvelist": ["CVE-2007-0817"], "type": "cve", "lastseen": "2019-05-29T18:08:58", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "77cfba0918fffe661a43742bbe81abdd"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "91816da8443dad30addfe5d1cd33c3da"}, {"key": "cpe23", "hash": "c7e37a981088744aa80e3c18827aafd3"}, {"key": "cvelist", "hash": "44cecfaffc1d2cbcade57e1a7fe5f012"}, {"key": "cvss", "hash": "f74a1c24e49a5ecb0eefb5e51d4caa14"}, {"key": "cvss2", "hash": "25131d66a9f3961140b068f4b41aa42b"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "78a7a5cbaf09985c14389298e454e7db"}, {"key": "description", "hash": "bca7c6a171c8afc0d2f0cab2b2a93801"}, {"key": "href", "hash": "49232abc6c194796609220a252e224c2"}, {"key": "modified", "hash": "9c034ae34eadcc94eb1a628b8ead9fd5"}, {"key": "published", "hash": "c31cbfbf189fe132b62ad9e2aa8754d7"}, {"key": "references", "hash": "76bc670359b3386658290ccc94ffd871"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "c15e9492e1c749f479262336634f7abc"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "1d825c48747f9686839381ee8a7b07325cd843697289117d1eb2d9dce2701cc9", "viewCount": 1, "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2019-05-29T18:08:58"}, "dependencies": {"references": [{"type": "jvn", "idList": ["JVN:48566866"]}, {"type": "nessus", "idList": ["COLDFUSION_XSS_ERROR_PROCESSING_REQUEST.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:29567"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7185"]}, {"type": "osvdb", "idList": ["OSVDB:32120"]}], "modified": "2019-05-29T18:08:58"}, "vulnersScore": 4.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:adobe:coldfusion:6.1", "cpe:/a:adobe:coldfusion:7.0.1", "cpe:/a:adobe:coldfusion:7.0.2"], "affectedSoftware": [{"name": "adobe coldfusion", "operator": "eq", "version": "6.1"}, {"name": "adobe coldfusion", "operator": "eq", "version": "7.0.2"}, {"name": "adobe coldfusion", "operator": "eq", "version": "7.0.1"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:adobe:coldfusion:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:7.0.2:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"]}
{"jvn": [{"lastseen": "2019-05-29T17:21:32", "bulletinFamily": "info", "description": "\n ## Description\n\n ## Impact\n\nAn arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking. \n\n ## Solution\n\n ## Products Affected\n\n * ColdFusion MX 6.X\n * ColdFusion MX 7.X\nFor more information, refer to the vendor's website. \n", "modified": "2008-05-21T00:00:00", "published": "2007-02-14T00:00:00", "id": "JVN:48566866", "href": "http://jvn.jp/en/jp/JVN48566866/index.html", "title": "JVN#48566866 ColdFusion error page cross-site scripting vulnerability", "type": "jvn", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2019-02-21T01:09:42", "bulletinFamily": "scanner", "description": "The version of Adobe ColdFusion running on the remote host fails to properly sanitize user-supplied input to the User-Agent header before using it to generate dynamic content in an error page. A remote, unauthenticated attacker can exploit this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.", "modified": "2018-11-15T00:00:00", "id": "COLDFUSION_XSS_ERROR_PROCESSING_REQUEST.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=24278", "published": "2007-02-06T00:00:00", "title": "ColdFusion Web Server User-Agent HTTP Header Error Message XSS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24278);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_cve_id(\"CVE-2007-0817\");\n script_bugtraq_id(22401);\n script_xref(name:\"EDB-ID\", value:\"29567\");\n\n script_name(english:\"ColdFusion Web Server User-Agent HTTP Header Error Message XSS\");\n script_summary(english:\"Checks for an XSS flaw in ColdFusion.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on the remote web server is affected by a\ncross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe ColdFusion running on the remote host fails to\nproperly sanitize user-supplied input to the User-Agent header before\nusing it to generate dynamic content in an error page. A remote,\nunauthenticated attacker can exploit this issue to inject arbitrary\nHTML or script code into a user's browser to be executed within the\nsecurity context of the affected site.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/459178/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.adobe.com/support/security/bulletins/apsb07-04.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch as described in the vendor advisory above.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/02/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:adobe:coldfusion\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"coldfusion_detect.nasl\");\n script_require_keys(\"installed_sw/ColdFusion\");\n script_require_ports(\"Services/www\", 80, 8500);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"install_func.inc\");\n\napp = 'ColdFusion';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\ninstall_url = build_url(port:port, qs:dir);\n\n# Send a request to exploit the flaw.\nxss = \"<script>alert(\"+SCRIPT_NAME -\".nasl\"+\"-\"+unixtime()+\")</script>\";\nurl = \"/CFIDE/administrator/nessus-\" + unixtime()+\".cfm\";\nr = http_send_recv3(method:\"GET\", item:dir+url, port:port, exit_on_fail: TRUE,\n add_headers: make_array(\"User-Agent\", xss));\nres = r[2];\n\n# There's a problem if our exploit appears as the user agent.\nbrowser = strstr(res, \">Browser </\");\nif (browser)\n{\n browser = browser - strstr(browser, \"</tr>\");\n browser = strstr(browser, \"<td>\");\n browser = browser - strstr(browser, \"</td>\");\n # nb: browser includes some extra markup.\n if (\">\"+ xss >< browser)\n {\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n xss : TRUE, # XSS KB key\n request : make_list(http_last_sent_request()),\n output : chomp(browser)\n );\n exit(0);\n }\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T10:36:37", "bulletinFamily": "exploit", "description": "Adobe ColdFusion 6/7 User_Agent Error Page Cross-Site Scripting Vulnerability. CVE-2007-0817. Webapps exploit for cfm platform", "modified": "2007-02-05T00:00:00", "published": "2007-02-05T00:00:00", "id": "EDB-ID:29567", "href": "https://www.exploit-db.com/exploits/29567/", "type": "exploitdb", "title": "Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/22401/info\r\n\r\nAdobe ColdFusion is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.\r\n\r\nAn attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. \r\n\r\nhttp://www.example.com/&USER_AGENT=%3Cscript%3Ealert(String.fromCharCode(120,115,115))%3C/s> cript%3E&HTTP_REFERER=http://www.google.com/ ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/29567/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "description": "## Manual Testing Notes\nGET /CFIDE/administrator/btins.cfm HTTP/1.1\nAccept: */*\nAccept-Language: en-us\nUA-CPU: x86\nAccept-Encoding: gzip, deflate\nUser-Agent: </td><script>alert('BTINS-XSS')</script>\nHost: 161.38.228.10\nProxy-Connection: Keep-Alive\nPragma: no-cache\nCookie: CFID=4023; CFTOKEN=82420413; JSESSIONID=683089a6c0e0$D91$E9$\n## References:\n[Vendor Specific Advisory URL](http://www.adobe.com/support/security/bulletins/apsb07-04.html)\nSecurity Tracker: 1017645\n[Secunia Advisory ID:24115](https://secuniaresearch.flexerasoftware.com/advisories/24115/)\n[Related OSVDB ID: 32121](https://vulners.com/osvdb/OSVDB:32121)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0044.html\nFrSIRT Advisory: ADV-2007-0593\n[CVE-2007-0817](https://vulners.com/cve/CVE-2007-0817)\nBugtraq ID: 22401\n", "modified": "2007-02-04T04:19:09", "published": "2007-02-04T04:19:09", "href": "https://vulners.com/osvdb/OSVDB:32120", "id": "OSVDB:32120", "title": "ColdFusion Web Server User-Agent HTTP Header Error Message XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:23", "bulletinFamily": "software", "description": "User-Agent field from HTTP request is used unfiltered in error message text. It's possible to manipulate client's User-Agent field through Flash.", "modified": "2007-02-05T00:00:00", "published": "2007-02-05T00:00:00", "id": "SECURITYVULNS:VULN:7185", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7185", "title": "ColdFusion crossite scripting", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
