Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Adobe ColdFusion Multiple Cross-Site Scripting Vulnerabilities (APSB10-11)

Subscribe

Check Point Reference: CPAI-2010-079
Date Published:
Preemptive Since:
Severity:
Source: Adobe Security Bulletin APSB10-11
Industry Reference(s): CVE-2009-3467
CVE-2010-1293
Protection Provided by: Security Gateway
  • R71
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
Who is Vulnerable?
ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX
Vulnerability Description
Multiple cross-site scripting (XSS) vulnerabilities have been discovered in Adobe ColdFusion server. Adobe ColdFusion is an application server for developing dynamically generated Web sites. Cross-site scripting occurs when a Web-based application fails to validate user input before returning it to the client's browser. This enables attackers to inject malicious content into Web pages to be executed in the context of the user's browser. A remote attacker could exploit these issues to execute a cross-site scripting attack or cause a denial of service condition.
Update/Patch Available
Apply Hotfix:
Adobe Security Bulletin APSB10-11
Vulnerability Details
The vulnerabilities are due to an error in the Adobe ColdFusion server that fails to sufficiently validate input when processing client HTTP requests. A remote attacker could trigger this issue via a specially crafted HTTP request. Successful exploitation of this issue will allow the attacker to inject arbitrary web script or HTML to the vulnerable server.

Protection Overview
This protection will detect and block Cross-Site Scripting attacks. No update is required to address this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > Application Layer.
2. In the right pane, double-click the Cross-Site Scripting protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. The protection can be applied either to all HTTP traffic or to selected web servers.

Important note:
- If you choose to apply the protection to all HTTP traffic, set the security level to High in order to block the CVE-2009-3467 vulnerability. In order to block the CVE-2010-1293 vulnerability, it is sufficient to set the security level to Low.

- If you choose to apply the protection to selected web servers:
I. Next to "Apply to selected web servers" click Customize.
II. Choose the relevant web server and click Configure Default..

III. Important note:
Set the Security Level to High in order to block the CVE-2009-3467 vulnerability. In order to block the CVE-2010-1293 vulnerability, it is sufficient to set the security level to Low.

5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > Application Layer > Cross Site Scripting.
2. In the configuration pane, under Settings > Mode, check Active.
3. The protection can be applied either to all HTTP traffic or to selected web servers.

Important note:
Set the Security Level to High in order to block the CVE-2009-3467 vulnerability. In order to block the CVE-2010-1293 vulnerability, it is sufficient to set the security level to Low.

If you choose to apply the protection to selected web servers:
I. Next to "Apply to selected web servers" click Customize.
II. Choose the relevant web server and click Edit.
III. Next to "Cross Site Scripting" click Advanced.
 
IV. Important note:
Set the Security Level to High in order to block the CVE-2009-3467 vulnerability. In order to block the CVE-2010-1293 vulnerability, it is sufficient to set the security level to Low.

5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL