ScriptProtect in ColdFusion MX 7 not a catch all
ColdFusion MX 7 has a new feature that lets you "lets you protect one or more variable scopes from cross site scripting (XSS) attacks". It can be turned on in the cfapplication tag using the scriptProtect attribute, or in the ColdFusion Administrator as a global setting.
<cfapplication scriptProtect="all">
The feature is a set of regular expressions located in lib/neo-security.xml that replaces the tags: object, embed, script, applet, and meta with the tag name InvalidTag when they are passed as in put in the Form, URL, CGI, and Cookie scopes (you can pick which ones to check).
It recently came to my attention however that scriptProtect does not protect against all possible types of cross site scripting attacks, as you may have assumed.
You can for instance do a XSS attack with an iframe, so I felt that the feature gave a false sense of security, and I reported this to the Macromedia security team yesterday. I wanted to give them a chance to fix anything before made this public. I received a response today:
We've forwarded your input to the development team and they have logged a bug that they will consider fixing for future updates of ColdFusion. At the moment, we feel that the documentation provided is sufficient to let our customers know what the scriptprotect attribute does and does not protect against.
The scriptprotect attribute is meant to supplement to best-coding practices; it provides an easy way to filter out certain tag names, but is not meant to be a comprehensive solution against XSS attempts.
I didn't find the documentation to sufficiently explain what was stated in the second paragraph there, so I added it to the live docs. The customer needs to understand all types of cross site scripting attacks in order to deduce that the feature doesn't catch all cases.
You can pretty easily add iframe to the XSS regular expression, but you still won't be safe from all possible attacks.
Tweet
add to del.icio.us
| Tags: xss, security, scriptprotect, coldfusion 7, cfapplication
Related Entries
- Detecting SQL Injection with ScriptProtect - May 18, 2005
- Using AntiSamy with ColdFusion - August 5, 2010
- Risks of FCKeditor Vulnerability in CF8 - July 6, 2009
- Tips for Secure File Uploads with ColdFusion - June 24, 2009
- Devnet Article on Securing CF From SQL Injection - April 9, 2009
Trackbacks
Trackback Address: 362/41A7C40C670C2E0678D114FEEA381A1C
Comments
On 05/17/2005 at 5:12:43 PM EDT Dean H. Saxe wrote:
1
This is a clear example of why black lists are a bad idea! Obviously it would be hard to implement a whitelist at the application server level, it belongs within the application itself. Unfortunately, most people will get a false sense of security from this.
Having not checked it out yet myself, I wonder if it manages canonicalization of the data to prevent users from entering data that is URLEncoded or encoded in an alternate characterset. Pete?
-dhs
On 05/29/2005 at 4:00:08 PM EDT Anonymous wrote:
2
It's funny, becase there are many XSS holes on the Macromedia.com site itself. Maybe they should enable that attribute themselves! haha.
On 12/13/2006 at 3:56:42 PM EST chris wrote:
3
Hi guys,
I've been trying to add flash videos to my site but I keep getting the <invalidtag> thing.
so i added this to my application.cfm.
scriptprotect="script,applet,meta"
now the flash files play, but so do scripts and meta refresh tests.
Have I done the scriptprotect thing right? I only want <object> and <embed> tags to work.
thanks
chris
On 02/27/2008 at 3:29:41 AM EST M Bilal wrote:
4
some time our site give this error 'ScriptProtect error replacing insecure tag' this seems to ColdFusion bug. how can we get over it.
On 06/12/2008 at 6:21:48 AM EDT ColdFusion developer wrote:
5
I have also created a workaround for FCK in Ray Camdens blog.. This can be quite easily adapted to work in your own particular environment.
http://www.beetrootstreet.com/blog/index.cfm/2008/6/7/InvalidTag-encountered-in-web-pages-using-ColdFusion-due-to-cross-site-scripting-protection
Hope it helps
Martin
Post a Comment
Recent Entries
- Howto Install and Run the Android Emulator
- jQuery UI Autocomple IE 6 Select List z-Index Issues
- Path Traversal Vulnerability Security Hotfix for ColdFusion Released
- Using AntiSamy with ColdFusion
- Writing Secure CFML Slides from CFUnited 2010
- Locking Down ColdFusion Presentation Slides
- Cross Domain Data Theft using CSS
- Using jQuery UI Autocomplete with Hidden ID's
Having not checked it out yet myself, I wonder if it manages canonicalization of the data to prevent users from entering data that is URLEncoded or encoded in an alternate characterset. Pete?
-dhs
I've been trying to add flash videos to my site but I keep getting the <invalidtag> thing.
so i added this to my application.cfm.
scriptprotect="script,applet,meta"
now the flash files play, but so do scripts and meta refresh tests.
Have I done the scriptprotect thing right? I only want <object> and <embed> tags to work.
thanks
chris
http://www.beetrootstreet.com/blog/index.cfm/2008/6/7/InvalidTag-encountered-in-web-pages-using-ColdFusion-due-to-cross-site-scripting-protection
Hope it helps
Martin
