Here's a case where the easiest thing is not always the best! In Kalendar, I used a method for throwing a message to the client. This was written hastily and never really thought out that well. Basically it consists of looking for a specific variable and using javascript to throw an alert with the contents of that variable.

Scott Pinkston was kind enough to inform us that this is indeed a cross-site scripting vulnerability. So here's a quick rundown of the bug, and a hotfix.

PLEASE NOTE: You should apply this hotfix to all versions of Kalendar. Additionally, it is recommended that you perform the update manually. The bleeding edge version in SVN is currently not stable. We do plan to change the way this messaging system works, but it may take a week or two to stabilize the version is SVN and apply the new system.

So here's how Scott explained it to me:

"As discussed, it appears the Kalendar might be susceptible to an XSS attack using the returnMessage variable.

Example:
http://{somedomain}/index.cfm?returnMessage=%22);document.write('%3Ch1%3ETest%3C/h1%3E');confirm('are%20you%20sure');alert(%22

It would require the attacker to have some knowledge of the system and  is pretty unlikely but better safe than sorry."

So basically, the system allows the returnMessage through the URL. The URL string is used as the message contents. Therefore, since the variable was not ignoring script, it would execute the script on the client side.

Now, here's a quick use case:

Joe Hacker places the following link on one of his phishing sites
http://{xyz.com}/index.cfm?returnMessage=some javascript here

Within the script Joe embeds some code that will execute when I click the link and the Kalendar site is loaded. That code looks for all cookies on the {xyz.com} domain and then executes an xmlHTTPRequest, sending the cookie data to his server. Now Joe Hacker has your cookie data and may be able to gain access to any sensitive data such as passwords, account IDs, session data. He may use this information to try to impersonate your session or directly log into your account.

Here is the hotfix:
Open application.cfc in the root of the Kalendar application. Notice the OnRequestEnd method contains the following code:

<cfif isDefined("returnMessage")>
    <script>alert("<cfoutput>#returnMessage#</cfoutput>")</script>   
</cfif>

Change this code to:

<cfif isDefined("returnMessage")>
    <script>alert("<cfoutput>#htmlEditFormat(returnMessage)#</cfoutput>")</script>       
</cfif>

By using the htmlEditFormat() function we are parsing all script and HTML into a string which cannot contain exectuable code. After you have completed this, repeat the process for the application.cfc in the admin folder.

The next release of Kalendar will not contain this vulnerability and a new, more elegant way to handle this will be introduced.

We would also want to thank Scott for doing the right thing and letting us know first. This gave us an opportunity to address the situation and release a proper announcement first. If you find  a security vulnerability, please let us know by sending an email using the contact form on the Kalendar project site.