{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 干净又极端 的问题《Fix for Unicode Transformation Issue/Vulnerability》','https://www.manongdao.com/q-822742.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
We upgraded our security scanner recently, and it's reporting a new issue.
What's the recommended fix? (We happen to be on ACF9.)
(Also, if you have an example exploit geared to CF, I'd appreciate it.)
Unicode transformation issues
Severity
High
TypeConfiguration
Reported by moduleScripting (XSS.script)
DescriptionThis page is vulnerable to various Unicode transformation issues such as Best-Fit Mappings, Overlong byte sequences, Ill-formed sequences.
Best-Fit Mappings occurs when a character X gets transformed to an entirely different character Y. In general, best-fit mappings occur when characters are transcoded between Unicode and another encoding.
Overlong byte sequences (non-shortest form) - UTF-8 allows for different representations of characters that also have a shorter form. For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. For example, the character U+000A (line feed) must be accepted from a UTF-8 stream only in the form 0x0A, but not in any of the following five possible overlong forms:
0xC0 0x8A
0xE0 0x80 0x8A
0xF0 0x80 0x80 0x8A
0xF8 0x80 0x80 0x80 0x8A
0xFC 0x80 0x80 0x80 0x80 0x8A
Ill-Formed Subsequences As REQUIRED by UNICODE 3.0, and noted in the Unicode Technical Report #36, if a leading byte is followed by an invalid successor byte, then it should NOT consume it.
ImpactSoftware vulnerabilities arise when Best-Fit mappings occur. For example, characters can be manipulated to bypass string handling filters, such as cross-site scripting (XSS) or SQL Injection filters, WAF's, and IDS devices. Overlong UTF-8 sequence could be abused to bypass UTF-8 substring tests that look only for the shortest possible encoding.
RecommendationIdentiy the source of these Unicode transformation issues and fix them. Consult the web references bellow for more information.
ReferencesUTF-8 and Unicode FAQ for Unix/Linux
A couple of unicode issues on PHP and Firefox
Unicode Security Considerations
Affecteditems/mysite-portal/
Details
URL encoded POST input linkServID was set to acu5955%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca5955
List of issues:
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (')
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transf ... (line truncated)
Request headers
GET
/mysite-portal/?display=login&status=failed&rememberMe=0&contentid=&LinkServID=acu5955%1 Cs1es2%BAs3%B9uca5955&returnURL=https://stage-cms.mysite.com/mysite-portal/ HTTP/1.1 Referer: https://stage-cms.mysite.com:443/
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
Host: stage-cms.mysite.com
Answer is: Canonicalization.
https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode#How_to_protect_yourself
http://www.mattgifford.co.uk/canonicalize-method-in-coldfusion-8-and-coldfusion-9
There are various solutions for this
For CF 8 and 9 users:
A set of functions to work around this can be found at:
https://github.com/coldfumonkeh/cfml-security
For CF 10 users:
Covers this concern. See http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WS932f2e4c7c04df8f-1a0d37871353e31b968-8000.html
For Railo users:
This was addressed in 4.0.0.011
https://issues.jboss.org/browse/RAILO-1873?_sscc=t
Canonicalization wouldn't help you if your user inputs are ill-formed sequence.
For those cases, replace the invalid sequences with the "replacement char"
U+FFFDbuilt exactly for this purpose. That's the magic pill that will work in 99.9% cases but that 0.1% left is enough to wipeout your databases.To be really secure, you need to fully analyze your input parsers to see if they're vulnerable against
U+FFFDreplacements.The best solution that works all the time is to stop parsing, cleanup your junk, and then return an error message.