I inherited some legacy ColdFusion code and about a year ago my site was hit with XSS and SQL injection.
Which cause me to validate inputs coming in as well as including a setting of ScriptProtect="all" in my application.cfm file. I got it scan and it came up clean.
Recently I had it scanned again and it came up with many vulnerabilities in particular one where it embedded a script in the url.
For example this was attached to a url:
?’A<style > a(font0family:expression(alert(2424)))</style>
Which embedded a hidden JavaScript. How would one use a ColdFusion function such as URLencode() in the application.cfm file to detect/prevent these sort of XSS attacks?
There are a few specific things you can do, depending on the nature of the attacks and the type of application. The following are what I would consider to be "the big three". The first item is to enable the "Enable Global Script Protection" in the "Settings" area of the Coldfusion administrator.
The second, and this is extremely important for SQL injection, is to use <cfqueryparam> with strict typing on any variable used in your queries. For example:
<cfqueryparam cfsqltype="cf_sql_integer" value="#my_integer#">
On a script-based query this would be accomplished by:
<cfscript>
qget = new query(datasource=my_datasource);
qget.addParam(name='my_integer',value=url.my_id,cfsqltype='cf_sql_integer');
qresult = qget.execute(sql='
SELECT * from my_table
WHERE id = :my_integer
').getResult();
</cfscript>
The third, is dependent on whether you are using JSON from your application via an API or internal call. Enabling the "Prefix Serialized JSON" setting in the CF Administrator with a prefix of your choice can help with cross-site scripting attacks as well.
If you're not on a Adobe CF server, no worries. Both Railo and Blue Dragon have equivalent features.
Related
I have a small CF9 app, no database involved. In the configuration I need to store a network password which one of the functions needs, but I don't want to have it stored in the Application.cfc (for example) in human readable form.
What's the best way of storing/reading the password?
Step 1: On a web page that is not going into production, run:
<cfoutput>#hash('My_pa55w0rd')#</cfoutput>
That will show a hash of the password.
Step 2: On a web page that is going into production, add the hash to a variable such as application.pass_hash . Verify against pass_hash as needed.
<cfif hash(form.password) EQ application.pass_hash>
<p>Successful login!</p>
</cfif>
I've set up a local Sitecore environment with all sql and mongodb db's working.
Except i do not get any data in the experience profile (contacts)
I see that tracking_contact db is empty in mongo and also the analytics index folder is empty.
Other functionalities like experience analytics work fine.
Are there any extra configurations necessary?
The Experience Profile runs on the Analytics index. If there is no index, there will be no data shown.
Try to rebuild the index if it's not there.
There is an admin tool for rebuilding the reporting db & analytics index: /sitecore/admin/RebuildReportingDB.aspx
When you run the tool you must setup a secondary reporting db first.
Just attach another empty analtyics database to your local SQL and name it something like analytics_secondary and configure its connectionstring.
Then rebuild the reporting db and after that data should appear in your Experience Profile.
The index should be constantly refreshed by the aggregation framework (i.e. you should not need to rebuild) so if that is not happening, something is wrong in your configuration.
When working with xDB you'll need to identify a user to get it to appear in the experience profile section otherwise they will be anonymous.
Try using this code here to create a contact:
https://github.com/ianjohngraham/CoreBlimey.Utils/tree/master/CoreBlimey.Utils/xDB%20Contact%20Creator
And then call the end session by using the button.
If everything is setup correctly then the contact you created will appear in MongoDB and in Experience Profile.
If you are still not getting any data then you could try these things:
Ensure you have the <sc:VisitorIdentification runat="server" /> control for asp web forms layout
the #Html.Sitecore().VisitorIdentification() control for MVC layout
Make sure you disable robot detection by changing this setting <setting name="Analytics.AutoDetectBots" />
Charley,
I also had the similar problem in past, so what I found was, it was not working in my local, but when i put it stage server it shows data to me. So same may apply to you also.
Also without "#Html.Sitecore().VisitorIdentification()" in your Layout tracking is not possible.
Hope this will help you.
cheers!!
I am trying to update (using PUT operation) a sitecore item with a 'Rich Text' field with the Sitecore ItemWebApi 1.2. I am running in to an issue with the server saying
"A potentially dangerous Request.Form value was detected from the client"
I could do the validationRequest=false in the web.config. But that will disable the validation for all requests which is not ideal. Is there a way to save html text using ItemWebApi without using the validationReques=false? Seems for aspx pages you could use #Page. Not sure where something like that could be configured in this case.
May be you have already figured out the answer for yourself, but in interest of our fellow community I posting answer here.
Actually myself get struck into this similar issue from last week, but because of your question i found the solution.
By Default Sitecore nowdays comes with
<pages validateRequest="false">
but it is not effective until or unless we do following
<httpRuntime requestValidationMode="2.0"/>
It is also indicated in Sitecore KB article and in another stack overflow answer.
Regards
Vishal Gupta
I did double escaping on client before sending to server and double unescaped with a custom item web api processor to essentially achieve the same effect for this one ajax call. This way, I did not have to turn off validation application wide and had to add the validateRequest=true on all pages. Turning of default html validation would also mean every other developer on our team needs to be aware that html validation is turned off and they have to add special xml on top to enable it. Someone missing that will make our site insecure.
I want to do simple CRUD operations for simple ColdFusion applications. I have simple guidelines but not deep guidance for that and it looks a little tricky for me. Anyone there who can provide a simple and detailed solution for that. Actually I have created database and tables on http://localhost/phpmyadmin/ but how can I use the database and tables in CF-Builder applications, I don't know that. If I'm missing anything else, please mention it.
Thanks,
Before someone closes this, check out this intro to CFBuilder that shows you how to connect to a database:
http://refcardz.dzone.com/refcardz/getting-started-adobe
Then go through the lessons at http://www.learncfinaweek.com/. If you've done CRUD apps in any other language, you just have to learn the CF syntax for doing the same processes.
In CFBuilder 2 and 3, there is a view, "RDS Dataview" that shows the hosts (ColdFusion servers) you've provided connection information for.
Expanding a servername shows the datasources defined in its ColdFusion Administrator. You can drill down from Server to Datasource (schema) to the tables, to the fields. You can right-click a tableName and choose RDS Query Viewer and get a query builder, much like Microsoft Accesses, if you're familiar with that.
Alternatively you can just drag and drop tablenames and fieldnames directly into your hand-crafted code to save a lot of typing.
See Adobe Docs at http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSc3ff6d0ea77859461172e0811cbec16ab8-7ff9.html
There is also a CRUD creator described on that page, that can introspect a table and produce a CRUD cfc... not cruddy!
I have web site with source code in ColdFusion. How can I find out which database is used and where is database files?
Thank you!
Also, I haven't access to CF Admin.
Assuming you are using CF8 or later:
If you have the datasource (which you can see in the CFQUERY/CFSTOREDPROC) you can use cfdbinfo to get database information.
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_d-e_01.html for details.
Search through the entire codebase for instances of the tag <CFQUERY> (and additionally <CFSTOREDPROC>).
Look at the value entered into the attribute "datasource", collect them all up.
If you have access to CF Admin:
Log into the ColdFusion Administrator, navigate to Datasources, and match the datasource names with the ones you found in your search.
Examine the DSN settings. They are your databases.
If you do not have access to CF Admin:
Pass the names of the datasources to <CFDBINFO> and dump out the results (thnx to TheCycoONE)
Shawn hit it: you'll have to get into the ColdFusion Administrator's Datasource settings. Find the name of the datasource in your Application.cfm/cfc/direct in the query, then in click that DSN in the administrator. It should tell you which db (type) connector it's using, and the general location.