ColdFusion User-Agent cross-site scripting
Description
Adobe ColdFusion MX 7 (and potentially other versions) contains a cross-site scripting (XSS) vulnerability in its error page handling. The application fails to properly sanitize the User-Agent HTTP header before displaying it in 404 and 500 error pages. An attacker can craft a malicious User-Agent string containing JavaScript or HTML code, which will be executed in the victim's browser when they encounter these error pages.
Confirmed in version MX 7. Other versions may also be affected.
Remediation
Apply the following remediation steps in order of priority:
1. Apply Security Patches: Contact Adobe support or check the Adobe Security Bulletin archive for patches addressing CVE-2007-0817. Apply all available security updates for your ColdFusion version.
2. Implement Custom Error Pages: Configure custom error handlers that do not reflect user-supplied input. Modify your Application.cfc or Application.cfm to handle errors without displaying HTTP headers:
<!--- Application.cfc example ---> <cffunction name="onError"> <cfargument name="exception" required="true"/> <cfargument name="eventName" type="string" required="true"/> <!--- Log error details securely ---> <cflog file="application" text="#arguments.exception.message#"> <!--- Display generic error message ---> <cfoutput>An error has occurred. Please contact support.</cfoutput> </cffunction>
3. Upgrade ColdFusion: If patches are unavailable, upgrade to a current supported version of ColdFusion that is not affected by this vulnerability.
4. Implement Web Application Firewall (WAF): Deploy a WAF with rules to detect and block XSS attempts in HTTP headers as a compensating control.