CVE-2011-0733

Vulnerability

Cross-site scripting (XSS) vulnerability exists in Adobe ColdFusion versions before 9.0.1 CHF1. The bug is present in the error handling pages when processing requests to .cfm files with an id=- query parameter. The User-Agent HTTP header is not properly sanitized before being reflected in the error page, allowing injection of arbitrary HTML and JavaScript. This affects all versions of ColdFusion prior to the fix [1].

Exploitation

An attacker can exploit this by sending a request to any .cfm file with the parameter id=- and a malicious User-Agent header containing JavaScript payload. For example, setting User-Agent to Mozilla would execute the script in the context of the victim's browser when viewing the error page. No authentication is required, and the attack can be carried out remotely over HTTP [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the browser of any user visiting the affected error page. This can lead to session hijacking, cookie theft, defacement, or phishing attacks. The impact is limited to the web application's domain and user sessions.

Mitigation

Adobe released ColdFusion 9.0.1 CHF1 (Critical Hot Fix 1) which addresses this vulnerability. Users should upgrade to the patched version. As of the publication date, no other workarounds are documented. The vulnerability was reported privately to Adobe on November 16, 2010, but was ignored until public disclosure [1].