Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

TWSL2013-006: Cross-Site Scripting Vulnerability in Coldbox

Trustwave SpiderLabs has published a new advisory yesterday fora reflective cross-site scripting vulnerability discovered in Coldbox, which isdeveloped by Ortus Solutions. Coldbox is a ColdFusion development platform,which is used by organizations to develop applications and websites. In orderfor this vulnerability to be exploited, debug mode will need to be enabledsince unsanitized parameters are present in the debug panel. Coldbox versionsprior to V3.6.0 are affected by this vulnerability.

Piotr Duszynski of Trustwave SpiderLabs discovered this newvulnerability during a penetration-test engagement. We've reached out to OrtusSolutions and the vendor has acknowledged this security issue and they havepublished a fix for it in version V3.6.0 (1 John 5:12-13). The latest versionof the software is available at http://www.coldbox.org/download

Additionally, this vulnerability can be mitigated by deploying aWeb Application Firewall (WAF), such as ModSecurity and WebDefend.