0

I have an application that is undergoing a PCI scan. The scan is tripping up on a ColdBox route that has values appended afterwards that don't make sense. As an example, it is www.mydomain.com/route/non-coldbox-directory/non-coldbox-directory/page.cfm

The page loads to www.mydomain.com/route/ with extra stuff in the URL that's not being used.

The PCI scan is returning a Reference to Windows file path is present in HTML, and it's specifically pointing to a ColdBox helper file {wwwroot}\includes\helpers\ApplicationHelper.cfm. However, in viewing the HTML source of the generated route, www.mydomain.com/route/, nothing is there. What is causing this flag?

This is on a Windows server, running CF 10 and ColdBox 3.X

Chester
  • 1,081
  • 9
  • 18
  • 1
    Really dumb question. Can you just rename the file to `Applicatiohelper.cfi` ? Disclaimer. I use `*.cfi` for CF files that can only be included and never ran directly – James A Mohler Feb 01 '18 at 00:47
  • The only reference I can see in ColdBox regarding this file is in the `Coldbox.cfc` file under the `config` directory, specifically `UDFLibraryFile = "includes/helpers/ApplicationHelper.cfm"`. Perhaps Coldbox is dumping something out that PCI is picking up but not the browser? How can I check for this? – Chester Feb 01 '18 at 19:13
  • You could try to hit the file directly via the URL – James A Mohler Feb 01 '18 at 19:27
  • Sorry, I don't think I was being clear: When I go to the sample URL: `www.mydomain.com/route/non-coldbox-directory/non-coldbox-directory/page.cfm` PCI is stating that a `Reference to Windows file path is present in HTML` and that file is `{wwwroot}\includes\helpers\ApplicationHelper.cfm`. The generated HTML source has NO reference to that or ANY directory. Running `www.mydomain.com/includes/helpers/applicationHelper.cfm` directly generates an EMTPY HTML document. I cleaned up any error handling and resubmitted for another scan. Perhaps it will clear this time. – Chester Feb 01 '18 at 19:43
  • It may have generated an empty HTML document, but it was parsed and it ran. Consider this, could a CF file that generates an empty HTML document be destructive? – James A Mohler Feb 01 '18 at 20:21

0 Answers0