Serious vulnerability in PayPal sample
Posted 14 April 2003 - 06:45 AM
The ColdFusion IPN sample, available from PayPal, contains a vulnerability which allows the execution of ColdFusion code - namely, the expression "Evaluate(TheField)" - effectively enabling a remote attacker to gain control of the system.
By sending strings such as "Evaluate('[statement1]')+Evaluate('[statement2]')+Evaluate..." in the FieldNames field, an unlimited number of (connected!) statements can be executed. On Windows systems, COM objects can be created (WScript.Shell or Scripting.FileSystemObject immediately come to mind) and used from within ColdFusion code, allowing remote attackers complete freedom to manipulate files, execute programs, create user accounts...
Check your code, people, and find an alternative to Evaluate... You can never know who might find the one little (or not so little) hole you've overlooked, and what they might do.
Posted 14 April 2003 - 10:50 AM
Is anyone aware of a safer means for retrieving the <post> string in ColdFusion?
Dev Net: https://www.paypal.com/pdn
Posted 17 August 2003 - 10:46 PM
Evaluate is typically used for dynamic formfield names. For example, if you have an update form from a database with multiple records. You can build a list of the database ID's and pass that as form.dbIDList, then loop through that list and handle the individual form elements properly. For example:
<form action="processMe.cfm" method="post">
Name: <input type="text" name="myName_1" value="Dave">
Favorite Color: <input type="text" name="color_1" value="Grey">
Name: <input type="text" name="myName_5" value="Ted">
Favorite Color: <input type="text" name="color_5" value="Red">
Name: <input type="text" name="myName_7" value="Sue">
Favorite Color: <input type="text" name="color_7" value="Violet">
<input type="hidden" name="dbIDList" value="1,5,7">
<cfloop index="i" list="#form.dbIDList#">
SET myName = '#evaluate("form.name_#i#")#',
favoriteColor = '#evaluate("form.color_#i#")#'
WHERE user_ID = #i#
This would dynamically update the data correctly.
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by imstillatwork
[br]FORM variables are structers and should be treated as such. FORM[thefield] should be the ONLY way you should considering accessing this information. evaluate has its place, but not here.
FORM[thefield] is much faster also.
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
Macromedia Certified Advanced ColdFusion Developer
Posted 20 August 2003 - 06:32 PM
Not to mention making your ipn code file a strange name would help and not using it in your buttons will also help.
Posted 27 August 2003 - 06:04 AM
Ways to stop trouble:
-Name your CF paypal IPN script with a name no one would guess ... you cannot hack what you cannot find.
-Use code in your script to stop execution when things don't look right .. there are various methods to do this I do not want to list them here as a would be hacker might see them.
In the end motiz88 has brought to light a very serious issue that need to be looked at. I for one will be adding some security measures to my IPN code but in the end nothing will ever be bullet proof.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users