Trustwave SpiderLabs Security Advisory TWSL2013-006:
Cross-Site Scripting Vulnerability in Coldbox

Published: 6/10/13
Version: 1.0

Vendor:  Ortus Solutions, Corp (http://www.ortussolutions.com/)
Product: ColdBox 
Version affected: Prior to V3.6.0 (1 John 5:12-13)

Product description:
ColdBox is an event-driven, convention-based ColdFusion Development
Platform. It provides a set of reusable code and tools that can be used to
increase your development productivity as well as a development standard
for working in team environments. ColdBox is comprehensive and modular
which helps address most infrastructure concerns of typical ColdFusion
applications.

Finding 1: Reflected XSS
*****Credit: Piotr Duszynski of Trustwave SpiderLabs
CVE: CVE-2013-2775
CWE: CWE-79

The debug panel is vulnerable to reflected XSS attack. The following Proof
of Concept (PoC) demonstrates the vulnerability and executes
unsophisticated JavaScript (JS) code.

Example 1

#Request
GET /?<script>alert('xss')</script> HTTP/1.1

Remediation Steps:
The vendor has released a fix for this vulnerability in Coldbox platform V3.6.0 (1 John 5:12-13).  These issue can also be mitigated with the use of technologies, such as Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). Often, Vulnerability Scanners and Intrusion Detection Systems (IDS) can detect the presence of Local File Inclusion vulnerabilities and XSS. Trustwave technologies that address this issue include the following.

ModSecurity (http://www.modsecurity.org/) has added rules to the commercial
rules feed for these issues, available as part of the SpiderLabs
ModSecurity rules feed.

WebDefend (https://www.trustwave.com/web-application-firewall/)
automatically detects the vulnerability with its learning profile.

References
1. http://www.coldbox.org/

Vendor Communication Timeline:
02/04/13 - Initial communications with vendor
02/04/13 - Vulnerability disclosed to vendor
02/05/13 - Vendor patches Github project repo
02/25/13 - Vendor releases Coldbox SEEK 3.6.0 1 John 5:12-13
06/10/13 - Advisory Published

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.