Portcullis 2.0.1 released

Jan 16, 2010

Nothing really major in this update to the Portcullis sql injection and cross-site scripting  (XSS) filter. I added an isDetected() function that allows you to ask portcullis if it detected an attack during the current request. Also added is a stronger variable naming verification system. Sometimes url or form variables coming over don't fit within the ColdFusion variable naming format which can throw errors. Portcullis strips those off now.

You can download Portcullis at http://portcullis.riaforge.org

 

Comments

Dave

Dave wrote on 02/01/10 3:04 PM

John, in the variables.instance.wordFilter list, I ran into issues with the words with the '.' character, since you are performing a REFindNoCase, the '.' in 'String.' was finding any word with the substring 'string' plus any additional character, and stripping it. For instance 'hamstrings' was being sanitized.

My fix was to escape the '.' characters with a '\', and it seems to be working fine now. In doing so, have I opened up any security holes that I am unaware of, or is this a valid bug?

(here's the last few words in my list: "...,vbscript:,\.cookie,\.toString,:expr,:expression,\.fromCharCode,String\.")
Jason

Jason wrote on 03/02/10 7:16 PM

does your cfc have a way to prevent xxs within the cgi scope? When I tried to pass in the cgi scope it through this error below.

The error occurred in C:\com\Portcullis.cfc: line 128

126 :                <cfheader name="Set-Cookie" value="#itemname#=#temp.cleanText#;HttpOnly">
127 :             <cfelse>
128 :                <cfset "#objectname#.#itemname#" = temp.cleanText/>
129 :             </cfif>
130 :          </cfif>
John Mason

John Mason wrote on 03/03/10 12:38 PM

The cgi variables are set by the client's browser or via an http call like in cfhttpparam or by the web server, proxy, etc. You can't modify a CGI variable once it hits CF. You can only read from that scope. So portcullis can't filter or clean anything in there. The key thing to remember with CGI variables is that you can't trust them. A hacker can very easily send you pseudo information in the hope that you trust the call. I usually encourage people to not rely on them in the first place.

Write your comment



(it will not be displayed)