修复ColdFusion中的Unicode转换问题/漏洞 [英] Fix for Unicode Transformation Issue/Vulnerability in ColdFusion

问题描述

我们最近升级了我们的安全扫描程序，并报告了一个新问题。

建议的修正是什么？ （我们碰巧在ACF9上。）

（另外，如果你有一个适用于CF的示例漏洞，我很感激。）

---

Unicode转换问题

严重性

p>

类型

配置

模块报告

脚本（XSS.script）

描述

此页面容易受到各种Unicode转换问题
的影响，例如最佳拟合映射

当字符X转换为
时，发生最佳拟合映射。一个完全不同的字符Y。

超长字节序列（非最短形式） - 一般，最佳匹配映射
发生在字符在Unicode和另一个
编码之间转换时。 UTF-8允许
不同的字符表示，也有一个较短的
形式。出于安全原因，UTF-8解码器不能接受长度大于编码字符所需的
UTF-8序列。例如，必须从UTF-8流接受字符U + 000A（line
feed），格式为
0x0A，但不能包含以下任何五个可能超出的
格式：

• 0xC0 0x8A




• 0xE0 0x80 0x8A




• 0xF0 0x80 0x80 0x8A




• 0xF8 0x80 0x80 0x80 0x8A

  li>
  

• 0xFC 0x80 0x80 0x80 0x80 0x8A

要求UNICODE 3.0，并在
Unicode技术报告＃36中注明，如果一个前导字节后跟一个
无效的后续字节，则它不应该消耗它。

Impact

当发生Best-Fit映射时会出现软件漏洞。对于
示例，可以处理字符以绕过字符串处理
过滤器，例如跨站点脚本（XSS）或SQL注入过滤器，
WAF和IDS设备。过长的UTF-8序列可能被滥用到
绕过UTF-8子字符串测试，只考虑最短的
编码。

推荐

确定这些Unicode转换问题的来源并修复它们。
有关详细信息，请参阅网络参考资料。

参考资料

Unicode
安全

的UTF-8和Unicode常见问题Unix / Linux

PHP和
上的几个unicode问题Firefox

Unicode
安全注意事项

受影响的项目

/ mysite-portal /

详细信息

URL编码的POST输入linkServID设置为
acu5955％EF％BC％9Cs1％EF％B9％A5s2％CA％ B9uca5955

问题列表：

• Unicode字符U + 02B9 MODIFIER LETTER PRIME（编码为％CA％B9）
  已转换为U + 0027 APOSTROPHE（'）




• Unicode字符U + 02B9 PRIME（编码为％CA％B9）
  正在传输...（行已截断）

GET

/ mysite-portal /？display = login& status = failed& rememberMe = 0& contentid =& LinkServID = acu5955％1
Cs1es2％BAs3％B9uca5955& returnURL = https ：//stage-cms.mysite.com/mysite-portal/
HTTP / 1.1参考： https://stage-cms.mysite.com:443/

连线：Keep-alive

Accept-Encoding：gzip，deflate

User-Agent：Mozilla / 5.0 MSIE 9.0; Windows NT 6.1; WOW64;
Trident / 5.0）

接受：* / *

主机：stage-cms.mysite.com

解决方案

如果您的用户输入为 病态，规范化将无济于事。 。

有关如何处理不规则序列的更多信息，转换过程，位于Unicode 5.2中的第3.9节，Unicode编码表格

对于这些情况，请将无效序列替换为replacement char U + FFFD 。这是一个神奇的药丸，将工作在99.9％的情况下，但0.1％剩下足以破坏你的数据库。

为了真正安全，你需要完全分析您的输入解析器，查看它们是否容易受到 U + FFFD 替换的影响。

strong> 最好的解决方案是停止解析，清理垃圾，然后返回错误消息。

We upgraded our security scanner recently, and it's reporting a new issue.

What's the recommended fix? (We happen to be on ACF9.)

(Also, if you have an example exploit geared to CF, I'd appreciate it.)

---

Unicode transformation issues

Severity

High

Type

Configuration

Reported by module

Scripting (XSS.script)

Description

This page is vulnerable to various Unicode transformation issues such as Best-Fit Mappings, Overlong byte sequences, Ill-formed sequences.

Best-Fit Mappings occurs when a character X gets transformed to an entirely different character Y. In general, best-fit mappings occur when characters are transcoded between Unicode and another encoding.

Overlong byte sequences (non-shortest form) - UTF-8 allows for different representations of characters that also have a shorter form. For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. For example, the character U+000A (line feed) must be accepted from a UTF-8 stream only in the form 0x0A, but not in any of the following five possible overlong forms:

• 0xC0 0x8A

• 0xE0 0x80 0x8A

• 0xF0 0x80 0x80 0x8A

• 0xF8 0x80 0x80 0x80 0x8A

• 0xFC 0x80 0x80 0x80 0x80 0x8A

Ill-Formed Subsequences As REQUIRED by UNICODE 3.0, and noted in the Unicode Technical Report #36, if a leading byte is followed by an invalid successor byte, then it should NOT consume it.

Impact

Software vulnerabilities arise when Best-Fit mappings occur. For example, characters can be manipulated to bypass string handling filters, such as cross-site scripting (XSS) or SQL Injection filters, WAF's, and IDS devices. Overlong UTF-8 sequence could be abused to bypass UTF-8 substring tests that look only for the shortest possible encoding.

Recommendation

Identiy the source of these Unicode transformation issues and fix them. Consult the web references bellow for more information.

References

Unicode Security

UTF-8 and Unicode FAQ for Unix/Linux

A couple of unicode issues on PHP and Firefox

Unicode Security Considerations

Affecteditems

/mysite-portal/

Details

URL encoded POST input linkServID was set to acu5955%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca5955

List of issues:

• Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (')

• Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transf ... (line truncated)

Request headers

GET

/mysite-portal/?display=login&status=failed&rememberMe=0&contentid=&LinkServID=acu5955%1 Cs1es2%BAs3%B9uca5955&returnURL=https://stage-cms.mysite.com/mysite-portal/ HTTP/1.1 Referer: https://stage-cms.mysite.com:443/

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Accept: */*

Host: stage-cms.mysite.com

解决方案

Canonicalization wouldn't help you if your user inputs are ill-formed sequence.

For more information on how to handle ill-formed subsequences, see "Constraints on Conversion Processes" in Section 3.9, Unicode Encoding Forms in Unicode 5.2

For those cases, replace the invalid sequences with the "replacement char" U+FFFD built exactly for this purpose. That's the magic pill that will work in 99.9% cases but that 0.1% left is enough to wipeout your databases.

To be really secure, you need to fully analyze your input parsers to see if they're vulnerable against U+FFFD replacements.

The best solution that works all the time is to stop parsing, cleanup your junk, and then return an error message.

这篇关于修复ColdFusion中的Unicode转换问题/漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！