ColdFusion Referer HTTP Header Field XSS

2003-09-22T10:01:16
ID OSVDB:35997
Type osvdb
Reporter OSVDB
Modified 2003-09-22T10:01:16

Description

Vulnerability Description

ColdFusion contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the HTTP Referer field upon submission to the ColdFusion server. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Technical Description

This vulnerability is only present when the "Robust Exception Information" and/or "Debugging" options are enabled.

Solution Description

Adobe / Macromedia has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround: turn off the "Robust Exception Information" and "Debugging" options.

Short Description

ColdFusion contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the HTTP Referer field upon submission to the ColdFusion server. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

GET /some/arbitrary.cfm HTTP/1.0 Accept: / Accept-Language: en-us Cookie: CFGLOBALS=HITCOUNT%3D12%23LASTVISIT%3D%7Bts+%272007%2D07%2D13+04%3A58%3A58%27%7D%23TIMECREATED%3D%7Bts+%272007%2D07%2D13+04%3A36%3A45%27%7D%23; CFID=819893; CFTOKEN=24953302 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: 127.0.0.1 Referer: <script>alert('BTINS-Referer-XSS')</script> Proxy-Connection: Keep-Alive

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:9807 Related OSVDB ID: 2578 Related OSVDB ID: 15814