Portcullis 2.0.1 released

Jan 16, 2010

Nothing really major in this update to the Portcullis sql injection and cross-site scripting  (XSS) filter. I added an isDetected() function that allows you to ask portcullis if it detected an attack during the current request. Also added is a stronger variable naming verification system. Sometimes url or form variables coming over don't fit within the ColdFusion variable naming format which can throw errors. Portcullis strips those off now.

You can download Portcullis at http://portcullis.riaforge.org

 

Comments

Dave

Dave wrote on 02/01/10 3:04 PM

John, in the variables.instance.wordFilter list, I ran into issues with the words with the '.' character, since you are performing a REFindNoCase, the '.' in 'String.' was finding any word with the substring 'string' plus any additional character, and stripping it. For instance 'hamstrings' was being sanitized.

My fix was to escape the '.' characters with a '\', and it seems to be working fine now. In doing so, have I opened up any security holes that I am unaware of, or is this a valid bug?

(here's the last few words in my list: "...,vbscript:,\.cookie,\.toString,:expr,:expression,\.fromCharCode,String\.")
Jason

Jason wrote on 03/02/10 7:16 PM

does your cfc have a way to prevent xxs within the cgi scope? When I tried to pass in the cgi scope it through this error below.

The error occurred in C:\com\Portcullis.cfc: line 128

126 :                <cfheader name="Set-Cookie" value="#itemname#=#temp.cleanText#;HttpOnly">
127 :             <cfelse>
128 :                <cfset "#objectname#.#itemname#" = temp.cleanText/>
129 :             </cfif>
130 :          </cfif>
John Mason

John Mason wrote on 03/03/10 12:38 PM

The cgi variables are set by the client's browser or via an http call like in cfhttpparam or by the web server, proxy, etc. You can't modify a CGI variable once it hits CF. You can only read from that scope. So portcullis can't filter or clean anything in there. The key thing to remember with CGI variables is that you can't trust them. A hacker can very easily send you pseudo information in the hope that you trust the call. I usually encourage people to not rely on them in the first place.
George

George wrote on 09/02/10 1:28 PM

Hi John,

We were working with the Portcullis.cfc today and discovered that when you call isBlocked within the application, there is no FORM scope during certain instances, such as invoking the wsdl from a cfc for scope calls. Supporting information on that is here:

http://www.bennadel.com/blog/1437-ColdFusion-Scope-Existence-During-Various-Request-Types-And-Events.htm

Can an alteration be made to portcullis to check for form being defined in calls where it's used? The specific instance I'm referring to is on line 230, but there may be other pages as well.

Thanks!
John Mason

John Mason wrote on 09/02/10 11:26 PM

@George,

You can simply check if the scope isdefined before having the filter scan it.

Jim Butchart

Jim Butchart wrote on 08/14/12 11:19 AM

John, we were getting hit with xss attacks regularly until I implemented Portcullis. I had a few IP addresses blocked but I notice now that no more addresses are reported as blocked. What would cause that? I'm using a shared server at ExpertHost.
John Mason

John Mason wrote on 08/14/12 11:34 AM

The block only lasts for 24 hours by default. You can change that in the portcullis settings.

Write your comment



(it will not be displayed)