My companys website has a vulnerability

[n00bj00b]

When I went to log in to my companys website I mistyped my login information and was redirected to:

Code: Select all

[company].com/loginform.cfm?loginerror=Your login information is not valid.<br/>Please try again.

The loginerror variable is displayed directly on the page and is not checked for special characters, so this alerted me to a possible vulnerability.

I tried

Code: Select all

/loginform.cfm?loginerror=<script>alert("haxxored");</script>

Which when submitted displayed an alert box, so I know that the site is vulnerable to an XSS attack. However since the site is not running php, something like loginerror=<?php phpinfo() ?> will not work. I am unfamiliar with coldfusion, so I am not sure what other, if any exploits I could make through this vulnerability with coldfusion being the server side language.

I ask because I am insterested in learning whether it is vulnerable to more than just an XSS attack before I notify the admin.

[fashizzlepop]

I don't see a vulnerability as you have no way of making this persistent. Only YOU can see the XSS.

[WallShadow]

Then perhaps it could be used as a CSRF? just put your script into that variable and encode it. Make a link somewhere, or send someone a link of this page (possibly to the admin of the site) stating that you got this error and want to know how to fix it. They click on the link, and like that, you have backdoor access to their computer.

[weekend hacker]

yeah probably just usefull for xss/csrf although that can be totally usefull for all kinds of things it mainly involved tricking people into going to the vuln page(doing usefull things with that is an art).
But you did mention coldfusion and although I've never played with it it seems to have its own markup language. Although it'd have to be coded very poorly for a language to interpret itself you never know if it can do that.. if it does then depending on the flavour of coldfusion you could have full access to the machine O.O

Code: Select all

<cfexecute name="C:\\winNT\\System32\\netstat.exe" arguments="-e" timeout="4" />

or whatever filepath it may be.. :\
The manual uses this in their example although they also use outputfile but thats an optional param and useless for our goals.

[n00bj00b]

Yeah, my first thought was that I could link a custom script in and email my boss pretending to be a new employee having trouble logging in, and send him a link to the encoded url, and use that to get his credentials. I only have a basic understanding of csrf, so that would be something i'd have to look into to be able to implement. Are there any good docs on csrf that you guys would recommend reading?

I was hoping that by using this I might be able to get access to the server side language and then it'd be game over, but it doesn't seem like i'm that lucky. I tried variations of the <cfexecute /> command, but it was just output as plaintext, so it doesn't look like the server is able to interpret the variable as code. Thanks for the tip on the cfexecute though, I was looking for something like that.

I'll have to dig around on the site some more to see if this vulnerability is on other pages and possibly be able to make the xss persistent.

[WallShadow]

Are there any good docs on csrf that you guys would recommend reading?

As far as I know, there are many different ways to use CSRF and there really aren't many good docs on it as it's not that old of a technique. The most basic idea behind a CSRF is to use someone's or somethings trust for something else to execute malicious code.