Server Side Include Injection creates a License Exception

Anyone use ScanAlert.com's HackerSafe product?  They scan your website to look for security vulnerabilities and let you know when they find any.  Well there's something called a Server Side Include Injection vulnerability which apparently can sometimes allow a hacker to access data and services they shouldn't, but even if they fail at that it is still considered a vulnerability to expose to a hacker the files and paths and error messages that may be generated. So today I got an alert from ScanAlert telling me that a site I manage has a vulnerability when this code is passed after the domain/ : '+serverRootUrl+'/s7ondemand/misc/email2friend.jsp ColdFusion sees this in its PATH_INFO but I have been unable to capture the information to deal with it appropriately (normally I'd just redirect to the homepage and show no error message) with code like CFIF CGI.PATH_INFO CONTAINS "serverRootUrl".  But even though it's in the PATH_INFO it's not recognized for some reason, so I haven't been able to find a way to stop the License Exception error that gets thrown and displays all kinds of data to potential hackers. I thought it would be interesting to show how the same vulnerability can be exposed on some of the websites referenced on this list lately, and see if anyone has a good solution to not showing so much information about the errors generated to hackers. 1) Dave Watts is always on top of things, Dave how should you deal with this? http://www.figleaf.com/'+serverRootUrl+'/s7ondemand/misc/email2friend.jsp 2) The same error style can be seen at http://fusion.dominicwatson.co.uk/'+serverRootUrl+'/s7ondemand/misc/email2friend.jsp and http://flexcf.com/'+serverRootUrl+'/s7ondemand/misc/email2friend.jsp and http://learncf.com/'+serverRootUrl+'/s7ondemand/misc/email2friend.jsp

K Simanonok wrote: > Anyone use ScanAlert.com's HackerSafe product?  They scan your website to look for security vulnerabilities and let you know when they find any.  Well there's something called a Server Side Include Injection vulnerability which apparently can sometimes allow a hacker to access data and services they shouldn't, but even if they fail at that it is still considered a vulnerability to expose to a hacker the files and paths and error messages that may be generated. > > So today I got an alert from ScanAlert telling me that a site I manage has a vulnerability when this code is passed after the domain/ : > > '+serverRootUrl+'/s7ondemand/misc/email2friend.jsp Remove the .jsp mapping from your webserver and from web.xml / default-web.xml / jrun-web.xml / whatever-web.xml. Restart CF and your webserver and you should get the standard 404 error from your webserver. Jochem

> 1) Dave Watts is always on top of things, Dave how should you > deal with this? > > http://www.figleaf.com/'+serverRootUrl+'/s7ondemand/misc/email > 2friend.jsp Well, if you take a look at what's returned, there isn't any useful information: "404 /' serverRootUrl '/s7ondemand/misc/email2friend.jsp java.io.FileNotFoundException: /' serverRootUrl '/s7ondemand/misc/email2friend.jsp   at jrun.jsp.JSPEngine.getPageState(JSPEngine.java:329)   at jrun.jsp.Translator.translate(Translator.java:67)   at jrun.jsp.JSPEngine.translateJSP(JSPEngine.java:707)   at jrun.jsp.JSPServlet.translate(JSPServlet.java:125)   at jrun.jsp.JSPServlet.service(JSPServlet.java:113)   at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)   at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)   at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:284)   at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)   at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)   at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428 )   at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)" The only info that's exposed is that JRun is installed (which isn't surprising on a CF site) and that we're using Enterprise instead of Professional - Enterprise says "file not found" while Professional says "you're not allowed to use JSPs". You can disable this in web.xml, I think: http://livedocs.adobe.com/jrun/4/Programmers_Guide/techniques_servlet12.htm Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/

Well, if you take a look at what's returned, there isn't any useful information: ========================== Technically, a hacker could also see if you had any additional servlet filters installed like SeeFusion. (example below)  Then again, as long as you had that program secured properly I guess the information still wouldn't be that awful helpful. java.io.FileNotFoundException: /' serverRootUrl '/s7ondemand/misc/email2friend.jsp   at jrun.jsp.JSPEngine.getPageState(JSPEngine.java:329)   at jrun.jsp.Translator.translate(Translator.java:67)   at jrun.jsp.JSPEngine.translateJSP(JSPEngine.java:707)   at jrun.jsp.JSPServlet.translate(JSPServlet.java:125)   at jrun.jsp.JSPServlet.service(JSPServlet.java:113)   at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)   at com.seefusion.Filter.doFilter(Filter.java:49)   at com.seefusion.SeeFusion.doFilter(SeeFusion.java:1500)   at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)   at jrun.servlet.FilterChain.service(FilterChain.java:101)   at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)   at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)   at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:284 )   at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543 )   at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java: 203)   at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java :428)   at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) ~Brad