The application keeps the daily reports in a shared path. Our application generates the URL linking it to the excels like
http://application/ExcelTask/Index.cfm?type=Report&fileName=Report_Mar2014.xlsx
with the cfm code as
<cfif FileExists("#filePath#")>
<cfheader name="Content-Disposition" value="inline; filename=""#URL.fileName#""">
<cfcontent type="application/vnd.ms-excel" file="#filePath#">
</cfif>
What we have found out if the users are aware of our directory structure the cfm files can be downloaded using the URL injection like
http://application/ExcelTask/Index.cfm?type=../ExcelTask&fileName=Index.cfm
I can add a condition to only allow files of type xls and xlsx only but that looks like a Plan B.
Any ideas how to restrict the folder access?
Use basic data sanitization skills to both clean and validate your URL.type and URL.filename.
some replaceAll code to eliminate ../, or
try isValid("regex", some regex pattern...)
You can also validate against the session whether the current logged in user has the write to view/download the file for extra protection.
Related
For extra security on my pages I use HTTP_REFERER within a cfif statement as a check on all my pages to make sure there are no successful direct attacks on any given page.
I am using a cfc file in an Authorize.net post. I do not use cfc or any other plug-ins or apps on my site so this is a first.
I would like to use an cfif statement in the cfc with the pages that call it listed in the cfif statement and if not a listed page, cfabort the page.
<cfhttpparam name="referer" type="cgi" value="#CGI.HTTP_REFERER#">
how can i access to a local file outsite wwwroot in coldfusion. I want to do a "href" link to access a file outside wwwroot directory. I tried many different solutions but any of them worked.
You can't link to a file outside of your web root, that helps keep your server safe. However, if your CF server has permission to access that other folder, you can write a CF page in your application that can present a file from that folder using CFCONTENT.
HOWEVER, do NOT try to access that file by passing a path to that file in the query string. That opens you up to other security issues. Create a table in the DB that maps those files to a File ID, then make sure that your logged in user has the correct role or privilege to access the file.
You'd create a file getFile.cfm and pass id=123 in the query string. Once you verify that your user can access the file in question, use this code to present it to the browser:
<cfheader name="Content-disposition" value="attachment;filename=#dafile#">
<cfcontent file="#dafile#" type="application/pdf">
Just make sure that the type attribute contains the correct mime-type for the file in question.
This example is from Ray Camden's post on the subject.
I am using railo server 4.1 and also installed the extension provider for spreadsheet support (http://www.andyjarrett.co.uk/RailoExtensionProvider/ExtensionProvider.cfc). But I can't able to read the spreadsheet using cfspreadsheet Am I missing something? or else provide any alternate solution.
The following is the error produced when i run a cfm page with cfspreadsheet tag in it
<cfspreadsheet action="read" src="#expandPath('..\')#/TEST.xls" query="res">
<cfdump var="#res#" />
I inherited some legacy ColdFusion code and about a year ago my site was hit with XSS and SQL injection.
Which cause me to validate inputs coming in as well as including a setting of ScriptProtect="all" in my application.cfm file. I got it scan and it came up clean.
Recently I had it scanned again and it came up with many vulnerabilities in particular one where it embedded a script in the url.
For example this was attached to a url:
?’A<style > a(font0family:expression(alert(2424)))</style>
Which embedded a hidden JavaScript. How would one use a ColdFusion function such as URLencode() in the application.cfm file to detect/prevent these sort of XSS attacks?
There are a few specific things you can do, depending on the nature of the attacks and the type of application. The following are what I would consider to be "the big three". The first item is to enable the "Enable Global Script Protection" in the "Settings" area of the Coldfusion administrator.
The second, and this is extremely important for SQL injection, is to use <cfqueryparam> with strict typing on any variable used in your queries. For example:
<cfqueryparam cfsqltype="cf_sql_integer" value="#my_integer#">
On a script-based query this would be accomplished by:
<cfscript>
qget = new query(datasource=my_datasource);
qget.addParam(name='my_integer',value=url.my_id,cfsqltype='cf_sql_integer');
qresult = qget.execute(sql='
SELECT * from my_table
WHERE id = :my_integer
').getResult();
</cfscript>
The third, is dependent on whether you are using JSON from your application via an API or internal call. Enabling the "Prefix Serialized JSON" setting in the CF Administrator with a prefix of your choice can help with cross-site scripting attacks as well.
If you're not on a Adobe CF server, no worries. Both Railo and Blue Dragon have equivalent features.
I'm fairly new to ColdFusion and am currently creating a system for which users can view PDF files. As well, I have it so some users can upload replacements for the current PDF if need be. The problem is, at least when using Firefox, when the user views the PDF file, it goes into their history cache to improve loading times I assume, and if a user replaces the PDF with a more updated one, users with the original PDF in their history cache will just see the old file and not the new one.
Now, I'm not going to just tell users to clear their history, so here's where my question comes in: Is there either a way to prevent the PDF from going into their history cache or is there a way to remove the page from the history? Any help would be greatly appreciated! :)
In PDF link add timestamp using gettickcount() to make URL unique and this prevent caching pdf.
http://mywebsite/pdfname.pdf?123249329323
Rather than link directly to the PDF, link to a .cfm that has this code:
<cfheader name="expires" value="#getHttpTimeString(now())#">
<cfheader name="pragma" value="no-cache">
<cfheader name="cache-control" value="no-cache, no-store, must-revalidate">
<cfcontent file="#path_to_pdf_file#" type="application/pdf">