Protect pages from cross-site programs
Cross-website program attacks are one of the security issues that website administrators often have to face. Application servers such as ASP, CFML, or PHP are particularly vulnerable to this type of attack due to their innate dynamic functional characteristics. Many times your program will transfer certain information from a certain page to another page, store the information in the database, or display the variable values received by the form or URL parameters on the page. Although being able to pass information between different pages seems to be an advantage, this feature can also bring serious security issues if you are not careful enough. For example, please take a look at the following hyperlink and the corresponding target page display results:
<!--- The following is a hyperlink in one of your pages -->
<A HREF="?username=Brian">Please click here</A>
<!--- The following is what is displayed -->
<CFOUTPUT>
Welcome to the next page, ##.
</CFOUTPUT>
It looks simple enough, right? The above hyperlink simply passes the user name from one page to another (), and if you are not careful enough, this is where the problem can occur. Cross-site scripting is basically to trick your web server into executing programs on other websites, JavaScript, Java applet or ActiveX controls without expectation.
If you observe the URL of the target page in the example above, it will look like this:
/?username=Brian
A malicious user can enter a URL himself, which contains a link to the program on another server, just like this:
/?username=<script src="/">
When ColdFusion outputs the variables passed from the URL above on the next page, the output result looks like this:
Welcome to the next page, <script src="/">.
This variable will allow your innocent page to execute the JavaScript program code specified by the other party without expecting it. In a similar way, the other party can also specify malicious ActiveX controls or JavaApplets in the URL. Of course, in this example, users only execute their own specified programs on the browser, but if these malicious program codes are accidentally stored by your own program and then output to other users' screens (for example, the troublemaker enters certain JavaScript program codes into the form of your discussion area's publication article, and then your program unaware of these program codes as part of the speech content in the database, then when other users see this article, those JavaScript, Java Applet or ActiveX controls that are deliberately placed will be executed on other users' browsers), then those programs may be enough to secretly transmit other users' accounts, passwords or other sensitive information to somewhere. This security problem is not a situation that ColdFusion can occur. Any application server, as long as it can receive information transmitted from the URL or form and display it on the user screen, may be subject to such attacks.
Fortunately, it is not difficult to avoid this. What you have to do is filter the information sent from the URL or form, and replace some special dangerous characters, such as < or > (greater than and less than symbols), and replace them with the corresponding ASCII character code form (for example, replace < with <). In fact, Allaire provides a CF_InputFilter custom volume label, which you can use in your file, and it can handle relevant special character filtering for you. If you need more complete information on this topic, please refer to the article on the "Allaire Security Issues Bulletin" website (ASB00-05).
Previous page123456Next pageRead the full text