tracker issue : CF-4087973

select a category, or use search below
(searches all categories and all time range)
Title:

Values coming from in-built struct objects/tag-specific variables should not be flagged for vulnerability.

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): / ext-user (S Preethi)

Created: 11/16/2015

Components: Security Analyzer

Versions: 2016

Failure Type: Non Functioning

Found In Build/Fixed In Build: CF12 /

Priority/Frequency: Normal / Most users will encounter

Locale/System: English / Linux All,Mac 10 All,Solaris All,Win XP All

Vote Count: 0

Listed in the version 2016.0.02.299200 Issues Fixed doc 
Related Bugs:
4049701 - Similar to	ColdFusion Builder
4130097 - Similar to	ColdFusion Builder


Problem:
Values coming from in-built struct objects/tag-specific variables should not be flagged for vulnerability, since it is a known value posing no threat.

Method:
In the below code, the following variables should not be thrown as vulnerability:
1)#cffile.timecreated#
2)#cffile.serverdirectory#
3)#cffile.serverfile#

<cffile  
    action = "uploadAll" 
    destination = "c:/uploads" 
    nameConflict = "overwrite">
	
<cfquery name="saveUploadInfo" datasource="cfmx_db">
	insert into uploadedfile (datetimecreated, serverdirectory, serverfile) 
	values (#cffile.timecreated#,'#replace(cffile.serverdirectory,"\","/","all")#','#cffile.serverfile#')
</cfquery>

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4087973

External Customer Info:
External Company:  
External Customer Name:  
External Customer Email:

Attachments:

Comments:

In the similar lines other in-built structs to be handled would be: 1)cflogin 2)cfhttp will add a few other structs to be dealt with.
Comment by S P.
5313 | November 16, 2015 11:30:27 PM GMT
Certain scenarios to be covered as part of this bug: 1)<cfquery name="listing" datasource="cfartgallery"> SELECT ARTISTID, FIRSTNAME, LASTNAME, EMAIL, THEPASSWORD, ADDRESS, CITY, STATE, POSTALCODE, PHONE, FAX FROM ARTISTS WHERE 1=1 </cfquery> <cfoutput> <h1>#listing.recordCount#</h1> <ul> <cfloop query="listing"> <li>#listing.currentRow# - #encodeForHTML(listing.lastName & ", " & listing.firstName)#</li> </cfloop> </ul> </cfoutput> **listing.recordCount and listing.currentRow should not be marked as vulnerable to xss attack. 2)Other tag-specific variables should also follow this: cfquery/cfldap/cfpop/cfsearch queryname.CurrentRow queryname.RecordCount CFQUERY.ExecutionTime CFSTOREDPROC.ExecutionTime CFSTOREDPROC.StatusCode
Comment by S P.
5314 | March 14, 2016 03:20:35 AM GMT
Why shouldnt we flat cfhttp. text,headers etc? Why cant it have vulnerable code? Others I have included
Comment by Uday O.
5315 | May 16, 2016 01:12:35 AM GMT
The Tags specified in the bug have been handled, cffile/cfldap/cfpop/cfsearch/cfhttp/cfquery (queryname/reult). This will be available in the update 2 of coldfusion. Thanks!
Comment by S P.
5316 | May 18, 2016 11:49:13 PM GMT
test note
Comment by CFwatson U.
5317 | June 07, 2016 04:19:41 AM GMT
The fix for this bug is available as part of the early-access build for ColdFusion 2016 Update 2.
Comment by CFwatson U.
5318 | June 07, 2016 04:26:39 AM GMT