Title

ColdFusion must enable Global Script Protection. (Cat II impact)

Discussion

Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. Invalid inputs are also used for Cross-Site Scripting (XSS) attacks. This type of attack relies on the attacker being able to insert script code into an input field and having the script executed on the client machine. By enabling Global Script Protection, there is a very limited protection against certain Cross-Site Scripting attack vectors. It is important to understand that enabling this setting does not protect hosted applications from all possible Cross-Site Scripting attacks. When this setting is turned on, it uses a regular expression defined in the file neo-security.xml to replace input variables containing the following tags: object, embed, script, applet, and meta with Invalid Tag. This setting does not restrict any JavaScript strings that may be injected and executed, iframe tags, or any XSS obfuscation techniques.

Check Content

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If the "Enable Global Script Protection" is unchecked, this is a finding.

Fix Text

Navigate to the "Settings" page under the "Server Settings" menu. Check "Enable Global Script Protection" and select the "Submit Changes" button.

Additional Identifiers

Rule ID: SV-237233r641794_rule

Vulnerability ID: V-237233

Group Title: SRG-APP-000447-AS-000273

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.