-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2022-051
Product: Lucee Server
Manufacturer: Lucee
Affected Version(s): 5.39.166, 5.3.10.84-SNAPSHOT, 6.0.0.282-SNAPSHOT
Tested Version(s): 5.39.166, 5.3.10.84-SNAPSHOT, 6.0.0.282-SNAPSHOT
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2022-11-11
Solution Date: TBD
Public Disclosure: 2022-12-27
CVE Reference: TBD
Author of Advisory: Mathias Wagner, SySS GmbH
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Overview:
 
Lucee is an application server for the ColdFusion markup language.
 
The manufacturer describes the product as follows (see [1]):
 
"Lucee is the leading open-source CFML application server/engine. Lucee 
provides a lot of functionality (tags and functions) to deal with all 
kinds of web related actions. Manipulating images, PDF files, XML, string, 
numbers, dates and a lot more."
 
Due to insufficient validation of user-provided input, Lucee Server is
vulnerable to cross-site scripting attacks.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Vulnerability Details:

The admin panel of Lucee reflects the query parameter 'action' in the HTML
of the response page at the following URLs:

/lucee/admin/server.cfm
/lucee/admin/web.cfm

The values are located in the href attribute of an anchor tag on the respective
response pages. As special characters such as quotation marks (") and HTML tags
(<, >) are not properly sanitized, arbitrary HTML tags and JavaScript code can
be injected.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Proof of Concept (PoC):

The following link was used to execute JavaScript code on a test instance of 
Lucee:

http://127.0.0.1:8080/lucee-5.3.10.84-SNAPSHOT/lucee/admin/server.cfm?
action=a%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E

The HTML response reads as follows:

[...]
<a href="server.cfm?action=a">
<img src=x onerror=alert(1)>" class="sprite server"></a>
<a href="web.cfm?action=a">
<img src=x onerror=alert(1)>" class="sprite web"></a>
[...]

 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Solution:
 
Context-sensitive HTML encoding of user input can be used to prevent a 
breakout from the href attribute. Additionally, only valid values for the
'action' attribute could be accepted.

More information can be found at
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_
Prevention_Cheat_Sheet.html.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Disclosure Timeline:
 
2022-11-02: Vulnerability discovered
2022-11-11: Vulnerability reported to manufacturer (no response)
2022-12-05: Vulnerability reported to manufacturer (no response)
2022-12-27: Public disclosure
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
References:
 
[1] Product website of Lucee Server
    https://www.lucee.org/
[2] Git repository of Lucee Server
    https://github.com/lucee/Lucee
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Credits:
 
This security vulnerability was found by Mathias Wagner of SySS
GmbH.
 
E-Mail: mathias.wagner@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Mathias_Wagner.asc
Key ID: 0xB3031FDCF86F9948
Key Fingerprint: 8391 7A2D B0EF 9C72 F01B  9E7E B303 1FDC F86F 9948
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Disclaimer:
 
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Copyright:
 
Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEg5F6LbDvnHLwG55+swMf3PhvmUgFAmOlbg0ACgkQswMf3Phv
mUi0xQ/+J4DukY3EdI6GTO/7Jzj1ekcZMVAYvNq9iqDHgH0fDZM1jouS2jT8AcWz
bbXyM+WCNbS//5Uus3iXZRMqnilsv6FnP1iN9cRBX901PAX0JdGKAlp5E2mtzd7o
acoCnaur3K4K38FGAlTwV+X12BSJ+WPArO7qg7QZYeEXq2/uNrzOI43Fe2e0jOTP
TTxgnBJFtadqD7e8Yv27A8sXboPXydoQhbteX4xPrMQDsdlfNbhASHQqoU4kqsnE
flGy1tMLy6aXqM/K5TsiN228ZW8JtrKeJPo8kR9SHH3iFZDuYkIgqzsRktZ661Gf
0kEiheU005fMcS1Mb+nhN4/KgkeHPbsAa7fBnh3yRRJHPqkdU/tktLX5qdw39/XU
7URG+1ZJ6Jzc2PifYSN6c39kvmyhc+GAqYGWlYzRK7R8GCiDv9iw6zYJ0/2J3Zgf
mBW13ZwFG86kz14ABvrJBp0cKlSsbs1kTRh7l2YenbxMWzC1LpRPxsuZsUG5CdvZ
zsi2uPHzVRVwlnYZGfXSsmsmGcofvwigBiya3fgR7T1jyu7ZcYbb7IT2myWhXnmM
i/72M9gfH608H1YYTxamQe8S9anKZOBqe7HhpuDF5kvU41KjjPa9fowUvLg4S2Cy
/kfWPpK91RAAvGab/OL88J8F1uc/OLmkfGBW3cLDZkwjusiXDoI=
=qTL4
-----END PGP SIGNATURE-----