XSS protection on ColdFusion can be disabled.
Security specialist Brett Moore from Security-Assessment.com has published information about three vulnerabilities in ColdFusion MX7. Two of them are non-critical and can be exploited to collect information about which internal IP addresses a system possesses and the path into which the server was installed.
It is the third vulnerability that is more interesting, since it can disable ColdFusion's cross-site scripting protection. That's because ColdFusion checks the content of the <script> tag and replaces it with <invalid tag>. Moore writes; all that's needed to KO the filter is to add %00 into the tag. Then the tag is not converted and XSS attacks on Internet Explorer users are once again possible. Internet Explorer 6 is well known for its propensity of displaying even broken pages. To do so, it ignores symbols with the value zero (%00) -- no matter how many there are, or where they are positioned in the HTML code. Antivirus software and Intrusion Detection/Prevention systems (and other protection functions as well) can thereby be tricked. The heise Security Browsercheck provides the NUL Demos to illustrate this problem.
ColdFusion 7 and potentially version 6 as well, contain the three vulnerabilities. The report says that the problem has been reported to the manufacturer. As yet, Adobe hasn't released updates, but intends to clean up the problem in the next major release.
- ColdFusion MX7 - Multiple Vulnerabilities, bug report from Brett Moore