User Guide Cancel

Security enhancements in ColdFusion (2016 release)

  1. ColdFusion User Guide
  2. Introduction to ColdFusion
    1. About Adobe ColdFusion
    2. Download Adobe ColdFusion
    3. What's new in ColdFusion (2021 release)
    4. ColdFusion (2021 release) Release Notes
    5. Deprecated Features
    6. REST enhancements in ColdFusion (2018 release)
    7. Server Auto-Lockdown
    8. Asynchronous programming
    9. Docker images for ColdFusion
  3. Adobe ColdFusion (2021 release)
    1. Install ColdFusion- Zip Installer
    2. Install ColdFusion- GUI Installer
    3. ColdFusion Licensing and Activation
    4. ColdFusion Package Manager
    5. CFSetup configuration tool
    6. SAML in ColdFusion
    7. ColdFusion and Amazon S3
    8. ColdFusion and DynamoDB
    9. ColdFusion and Amazon SQS
    10. ColdFusion and Amazon SNS
    11. ColdFusion and MongoDB
    12. ColdFusion and Azure Blob
    13. ColdFusion and Azure Service Bus
    14. New and updated language enancements
    15. Multi-cloud storage services
    16. Multi-cloud RDS databases
    17. ColdFusion and Azure Cosmos DB
  4. Install ColdFusion
    1. ColdFusion server profiles
    2. Prepare to install ColdFusion
    3. Install the server configuration
    4. Install the JEE configuration
    5. Install ColdFusion Express
    6. Install integrated technologies
    7. Configure your system
    8. Troubleshoot installation issues
    9. Install ColdFusion silently
    10. Install Adobe ColdFusion (2016 release) hotfix
    11. ColdFusion (2018 release) - Install JEE configuration
  5. Use ColdFusion
    1. Command Line Interface (CLI)
    2. External session storage
    3. Generate Swagger documents
    4. Language enhancements
    5. NTLM support
    6. New and changed functions/tags in Adobe ColdFusion (2016 release)
    7. PDF enhancements
    8. Security enhancements in ColdFusion (2016 release)
  6. Performance Monitoring Toolset
    1. Auto-discovery of ColdFusion nodes and clusters
    2. Code profiler in ColdFusion Performance Monitoring Toolset
    3. Configure ColdFusion Performance Monitoring Toolset settings
    4. Install ColdFusion Performance Monitoring Toolset
    5. Overview of ColdFusion Performance Monitoring Toolset
    6. View cluster and node metrics
    7. View data source metrics
    8. View external services
    9. View incoming services
    10. View list of sites and busy connections
    11. View topology of sites
    12. Datastore Health Monitoring
    13. Performance Monitoring Toolset Update 1
    14. Secure Performance Monitoring Toolset with HTTPS/SSL
    15. Performance Monitoring Toolset deployment guide
  7. Adobe ColdFusion Builder extension for Visual Studio Code
    1. Getting started with Adobe ColdFusion Builder extension for Visual Studio Code
    2. Add a ColdFusion server
    3. Project Manager
    4. Work with ColdFusion code
    5. Profile preferences
    6. Debug applications
    7. Refactoring
    8. Services Browser
    9. RDS support
    10. PMT Code Profiler integration
    11. Security Analyzer report integration
    12. Known issues in this release
  8. Use ColdFusion Builder
    1. About ColdFusion Builder
    2. System requirements | ColdFusion Builder
    3. Install ColdFusion Builder
    4. Edit code in ColdFusion Builder
    5. Manage servers in ColdFusion Builder
    6. Manage projects in ColdFusion Builder
    7. What’s new in Adobe ColdFusion Builder (2018 release)
    8. Frequently Asked Questions (FAQ) | Adobe ColdFusion Builder (2018 release)
    9. Debug applications in ColdFusion Builder
    10. ColdFusion Builder workbench
    11. ColdFusion Builder extensions
    12. Debugging Perspective in ColdFusion Builder
    13. Build mobile applications using ColdFusion Builder
    14. Bundled ColdFusion Server
    15. Debug mobile applications in ColdFusion Builder
    16. Use extensions in ColdFusion Builder
  9. Coldfusion API Manager
    1. Overview of Adobe ColdFusion API Manager
    2. Features in ColdFusion API Manager
    3. Get started with ColdFusion API Manager
    4. Install ColdFusion API Manager
    5. Authentication types
    6. Create and publish APIs
    7. Administrator
    8. Subscriber
    9. Throttling and rate limiting
    10. Notifications
    11. Connectors
    12. Set up cluster support
    13. Integrate ColdFusion and API Manager
    14. Metrics and Logging in API Manager
    15. Generate Swagger documents
    16. Configure SSL
    17. Known issues in this release
    18. Policies in ColdFusion API Manager
    19. Create a Redis cluster
    20. Multitenancy in API Manager
    21. Docker images for ColdFusion API Manager
  10. Configure and administer ColdFusion
    1. Administer ColdFusion
    2. Use the ColdFusion administrator
    3. Data Source Management for ColdFusion
    4. Connect to web servers
    5. Deploy ColdFusion applications
    6. Administer ColdFusion security
    7. Basic Troubleshooting and FAQs
    8. Work with Server Manager
    9. Use multiple server instances
    10. WebSocket Enhancements (ColdFusion 11)
    11. Security Enhancements (ColdFusion 11)
    12. Work with Server Monitor
    13. ColdFusion Administrator API Reference
  11. CFML Reference
    1. Introduction to CFML Reference
      1. New functions in ColdFusion (2018 release)
      2. New and changed functions/tags in Adobe ColdFusion (2016 release)
      3. Script supported tags and functions
      4. New and changed tags/functions in ColdFusion 11
    2. Reserved words and variables
      1. Reserved words and variables
      2. Reserved words
      3. Scope-specific built-in variables
      4. Custom tag variables
      5. ColdFusion tag-specific variables
      6. CGI environment (CGI Scope) variables
    3. ColdFusion tags
      1. ColdFusion tags
      2. Tags in ColdFusion 10
      3. Tag summary
      4. Tags by function
      5. Tag changes since ColdFusion 5
      6. Tags a-b
      7. Tags c
      8. Tags d-e
      9. Tags f
      10. Tags g-h
      11. Tags i
      12. Tags j-l
      13. Tags m-o
      14. Tags p-q
      15. Tags r-s
      16. Tags t
      17. Tags u-z
    4. ColdFusion functions
      1. ColdFusion functions
      2. New functions in ColdFusion 10
      3. ColdFusion functions by category
      4. Function changes since ColdFusion 5
      5. Functions a-b
      6. Functions c-d
      7. Functions e-g
      8. Functions h-im
      9. Functions in-k
      10. Functions l
      11. Functions m-r
      12. Functions s
      13. Functions t-z
      14. BooleanFormat
    5. Ajax JavaScript functions
      1. Ajax JavaScript functions
      2. Function summary Ajax
      3. ColdFusion.Ajax.submitForm
      4. ColdFusion.Autosuggest.getAutosuggestObject
      5. ColdFusion.Layout.enableSourceBind
      6. ColdFusion.MessageBox.getMessageBoxObject
      7. ColdFusion.ProgressBar.getProgressBarObject
      8. ColdFusion.MessageBox.isMessageBoxDefined
      9. JavaScriptFunctionsinColdFusion9Update1
    6. ColdFusion ActionScript functions
      1. ColdFusion ActionScript functions
      2. CF.http
      3. CF.query
    7. ColdFusion mobile functions
      1. ColdFusion Mobile Functions
      2. Accelerometer Functions
      3. Camera Functions
      4. Connection Functions
      5. Contact Functions
      6. Event Functions
      7. File System Functions
      8. Geolocation Functions
      9. Media and Capture Functions
      10. Notification Functions
      11. Splash Screen Functions
      12. Storage Functions
    8. Application.cfc reference
      1. Application.CFC reference
      2. Application variables
      3. Method summary
      4. onAbort
      5. onApplicationEnd
      6. onApplicationStart
      7. onMissingTemplate
      8. onCFCRequest
      9. onError
      10. onRequestEnd
      11. onRequest
      12. onRequestStart
      13. onServerStart
      14. onSessionEnd
      15. onSessionStart
    9. Script functions implemented as CFCs
      1. Script Functions Implemented as CFCs
      2. Accessing the functions
      3. Function summary
      4. ftp
      5. http
      6. mail
      7. pdf
      8. query
      9. Script functions implemented as CFCs in ColdFusion 9 Update 1
      10. storedproc
    10. ColdFusion Flash Form style reference
      1. Styles valid for all controls
      2. Styles for cfform
      3. Styles for cfformgroup with horizontal or vertical type attributes
      4. Styles for box-style cfformgroup elements
      5. Styles for cfformgroup with accordion type attribute
      6. Styles for cfformgroup with tabnavigator type attribute
      7. Styles for cfformitem with hrule or vrule type attributes
      8. Styles for cfinput with radio, checkbox, button, image, or submit type attributes
      9. Styles for cftextarea tag and cfinput with text, password, or hidden type attributes
      10. Styles for cfselect with size attribute value of 1
      11. Styles for cfselect with size attribute value greater than 1
      12. Styles for cfcalendar tag and cfinput with dateField type attribute
      13. Styles for the cfgrid tag
      14. Styles for the cftree tag
      15. ColdFusion Flash Form Style Reference
    11. ColdFusion event gateway reference
      1. ColdFusion Event Gateway reference
      2. addEvent
      3. CFEvent
      4. CFEventclass
      5. Constructor
      6. Gateway development interfaces and classes
      7. getStatus
      8. setCFCPath
      9. setCFCMethod
      10. getOriginatorID
      11. getLogger
      12. getBuddyList
      13. getBuddyInfo
      14. IM gateway message sending commands
      15. IM Gateway GatewayHelper class methods
      16. onIncomingMessage
      17. onIMServerMessage
      18. onBuddyStatus
      19. onAddBuddyResponse
      20. onAddBuddyRequest
      21. IM Gateway CFC incoming message methods
      22. IM gateway methods and commands
      23. CFML CFEvent structure
      24. warn
      25. info
      26. setOriginatorID
      27. data command
      28. submit Multi command
      29. submit command
      30. setGatewayType
      31. setGatewayID
      32. setData
      33. setCFCListeners
      34. outgoingMessage
      35. getStatusTimeStamp
      36. numberOfMessagesReceived
      37. numberOfMessagesSent
      38. removeBuddy
      39. removeDeny
      40. removePermit
      41. setNickName
      42. setPermitMode
      43. setStatus
      44. SMS Gateway CFEvent structure and commands
      45. SMS Gateway incoming message CFEvent structure
      46. getStatusAsString
      47. getProtocolName
      48. getPermitMode
      49. getPermitList
      50. getNickName
      51. getName
      52. getDenyList
      53. getCustomAwayMessage
      54. getQueueSize
      55. getMaxQueueSize
      56. getHelper
      57. getGatewayType
      58. getGatewayServices
      59. getGatewayID_1
      60. getGatewayID
      61. getData
      62. getCFCTimeout
      63. setCFCTimeout
      64. getCFCPath
      65. getCFCMethod
      66. GatewayServices class
      67. Gateway interface
      68. GatewayHelper interface
      69. addPermit
      70. addDeny
      71. addBuddy
      72. error
      73. debug
      74. Logger class
      75. stop
      76. start
      77. CFML event gateway SendGatewayMessage data parameter
      78. restart
      79. fatal
      80. SMS gateway message sending commands
    12. ColdFusion C++ CFX Reference
      1. C++ class overview
      2. Deprecated class methods
      3. CCFXException class
      4. CCFXQuery class
      5. CCFXRequest class
      6. CCFXStringSet class
      7. ColdFusion C++ CFX Reference
    13. ColdFusion Java CFX reference
      1. ColdFusion Java CFX reference
      2. Class libraries overview
      3. Custom tag interface
      4. Query interface
      5. Request interface
      6. Response interface
      7. Debugging classes reference
    14. WDDX JavaScript Objects
      1. WDDX JavaScript objects
      2. JavaScript object overview
      3. WddxRecordset object
      4. WddxSerializer object
  12. Develop ColdFusion applications
    1. Introducing ColdFusion
      1. Introducing ColdFusion
      2. About ColdFusion
      3. About Internet applications and web application servers
      4. About JEE and the ColdFusion architecture
    2. Changes in ColdFusion
      1. Changes in ColdFusion
      2. Replacement of JRun with Tomcat
      3. Security enhancements
      4. ColdFusion WebSocket
      5. Enhanced Java integration
      6. ColdFusion ORM search for indexing and search
      7. Solr enhancements
      8. Scheduler enhancements
      9. Integration with Microsoft Exchange Server 2010
      10. RESTful Web Services in ColdFusion
      11. Lazy loading across client and server in ColdFusion
      12. Web service enhancements
      13. Displaying geolocation
      14. Client-side charting
      15. Caching enhancements
      16. Server update using ColdFusion Administrator
      17. Secure Profile for ColdFusion Administrator
    3. Introduction to application development
      1. Introduction to application development using ColdFusion
      2. Using the Developing ColdFusion Applications guide
      3. About Adobe ColdFusion documentation for Developers
    4. The CFML programming language
      1. The CFML programming language
      2. Elements of CFML
      3. ColdFusion variables
      4. Expressions and number signs
      5. Arrays and structures
      6. Extend ColdFusion pages with CFML scripting
      7. Regular expressions in functions
      8. ColdFusion language enhancements
      9. Built-in functions as first class citizen
      10. Data types- Developing guide
    5. Building blocks of ColdFusion applications
      1. Building blocks of ColdFusion applications
      2. Create ColdFusion elements
      3. Write and call user-defined functions
      4. Build and use ColdFusion Components
      5. Create and use custom CFML tags
      6. Build custom CFXAPI tags
      7. Use the member functions
      8. Object Oriented Programming in ColdFusion
    6. Develop CFML applications
      1. Develop CFML applications
      2. Design and optimize a ColdFusion application
      3. Handle errors
      4. Use persistent data and locking
      5. Use ColdFusion threads
      6. Secure applications
      7. Client-side CFML (for mobile development)
      8. Use the ColdFusion debugger
      9. Debugging and Troubleshooting Applications
      10. Develop globalized applications
      11. REST enhancements in ColdFusion
      12. Authentication through OAuth
      13. Social enhancements
    7. Develop mobile applications
      1. Mobile application development
      2. Build mobile applications
      3. Debug mobile applications
      4. Inspect mobile applications
      5. Package mobile applications
      6. Troubleshoot mobile applications
      7. Device detection
      8. Client-side CFML
      9. Mobile Templates
      10. Code samples to build a mobile application
    8. Access and use data
      1. Access and use data
      2. Introduction to Databases and SQL
      3. Access and retrieve data
      4. Update database
      5. Use Query of Queries
      6. Manage LDAP directories
      7. Solr search support
    9. ColdFusion ORM
      1. ColdFusion ORM
      2. Introducing ColdFusion ORM
      3. ORM architecture
      4. Configure ORM
      5. Define ORM mapping
      6. Work with objects
      7. ORM session management
      8. Transaction and concurrency
      9. Use HQL queries
      10. Autogenerate database schema
      11. Support for multiple data sources for ORM
      12. ColdFusion ORM search
    10. ColdFusion and HTML5
      1. ColdFusion and HTML 5
      2. Use ColdFusion Web Sockets
      3. Media Player enhancements
      4. Client-side charting
      5. Display geolocation data
    11. Flex and AIR integration in ColdFusion
      1. Flex and AIR integration in ColdFusion
      2. Use the Flash Remoting Service
      3. Use Flash Remoting Update
      4. Offline AIR application support
      5. Proxy ActionScript classes for ColdFusion services
      6. Use LiveCycle Data Services ES assembler
      7. Use server-side ActionScript
    12. Request and present information
      1. Request and present information
      2. Retrieve and format data
      3. Build dynamic forms with cfform tags
      4. Validate data
      5. Create forms in Flash
      6. Create skinnable XML forms
      7. Use Ajax data and development features
      8. Use Ajax User Interface components and features
    13. Office file interoperability
      1. Office file interoperability
      2. Using cfdocument
      3. Using cfpresentation
      4. Using cfspreadsheet
      5. Supported Office conversion formats
      6. SharePoint integration
    14. ColdFusion portlets
      1. ColdFusion portlets
      2. Run a ColdFusion portlet on a JBoss portal server
      3. Run a ColdFusion portlet on a WebSphere portal server
      4. Common methods used in portlet.cfc
      5. ColdFusion portlet components
      6. Support for JSR-286
    15. Work with documents, charts, and reports
      1. Work with documents, charts, and reports
      2. Manipulate PDF forms in ColdFusion
      3. Assemble PDF documents
      4. Create and manipulate ColdFusion images
      5. Create charts and graphs
      6. Create reports and documents for printing
      7. Create reports with Report Builder
      8. Create slide presentations
    16. Use web elements and external objects
      1. Use web elements and external objects
      2. Use XML and WDDX
      3. Use web services
      4. Use ColdFusion web services
      5. Integrate JEE and Java elements in CFML applications
      6. Use Microsoft .NET assemblies
      7. Integrate COM and CORBA objects in CFML applications
    17. Use external resources
      1. Send and receive e-mail
      2. Interact with Microsoft Exchange servers
      3. Interact with remote servers
      4. Manage files on the server
      5. Use event gateways
      6. Create custom event gateways
      7. Use the ColdFusion extensions for Eclipse
      8. Use the data services messaging event gateway
      9. Use the data management event gateway
      10. Use the FMS event gateway
      11. Use the instant messaging event gateways
      12. Use the SMS event gateway

 

Note:

The Security Code Analyzer is only available to ColdFusion (2016 release) Enterprise license users.

For any web application, security plays a critical role. It is important to avoid security pitfalls while developing web applications.

Security code analyzer

Security Analyzer is a new feature in Adobe ColdFusion (2016 release). This feature is integrated into ColdFusion Builder to enable developers to avoid common security pitfalls and vulnerabilities while writing ColdFusion code.

Use this feature to view:

  • Vulnerable code in the editor
  • Vulnerability or type of attack (Error and Warning)
  • Severity level of vulnerability (High, Medium, and Low)
  • Suggestion to avoid the vulnerability.
Note:
  • Security Analyzer works only with ColdFusion Enterprise or Enterprise (trial) and with Developer profile.
  • Security Analyzer does not work with ColdFusion Developer or Standard edition and with Production or Production secure profile.
  • Security Analyzer does not work with ColdFusion Builder default local server.

The Security Analyzer feature of the server is exposed as a service, a request to which is made by the builder. You can get a list of security vulnerabilities for a file, folder, or a project.

Accessing security analyzer in builder

Follow the steps below to access Security Analyzer in ColdFusion Builder:

  1. Right-click the project folder or project file in the navigator pane.
  2. Choose Security Analyzer > Run Security Analyzer.
Security Analyzer
Security Analyzer

You have three options in Security Analyzer:

  • Run Security Analyzer – Analyzes and displays vulnerabilities of the code.
  • Clean Run Security Analyzer - Clears the history of all ignored messages and warnings. It clears the ignored vulnerabilities (which are marked as Ignore during the Run Security Analyzer) and displays all vulnerabilities for the project.
  • Clear Security Markers – Removes all security warnings and resources. Run the security analyzer again to view the vulnerabilities for your resource.

Using the security analyzer

Follow the steps below to use Security Analyzer for your project folder or file:

  1. Create a ColdFusion project or use an existing project. Ensure that the project is aligned to the preferred server. You can verify it by choosing the appropriate server in project properties. (Right-click in the navigator and choose properties).

  2. Right-click the project folder or project file and choose Security Analyzer > Run Security Analyzer. Security analyzer analyzes the code and displays a pop-up dialog when the task is completed.

  3. Click OK.
    You can view all the vulnerabilities in the bottom pane of the Editor as shown below.

    Vulnerabilities
    Vulnerabilities

  4. Click Security Issues on the left pane to view the list of vulnerabilities.

    1. As shown in the left pane of the snapshot, click the vulnerability type (such as SQL Injection or XSS attack) to view the corresponding problem statement. You can also view the suggested solution at the right pane.
    2. Alternatively, you can click any error on the middle pane to view the corresponding statement and solution at the right pane.
    3. Double-click each error on the middle pane to view the corresponding line in the Editor.
    4. Use filters for File Name, Attack Name, Severity Level, and Type in the middle pane. Start typing the file name in the search area to locate the files with vulnerabilities. You can narrow down your search based on severity level as high, medium and low by clicking All drop-down list.
    Note:

    You can notice the Both drop-down list as grayed out sometimes. This happens when your cursor is already pointing to Errors or warnings issue type in the left pane. You can bring it back to active state by selecting the Security Issues folder.

  5. When you fix the error in the code, right-click the corresponding error on the middle pane and choose the status as Fixed. Mark the status as Ignore if you ignore the error.

    You can move the error back to To fix status by using the same step.

    Note:

    Rerunning Security analyzer (Security Analyzer > Run Security Analyzer) does not show the vulnerabilities that are ignored. If the user has marked the vulnerabilities as Fixed but are not fixed, then server reports these errors.

  6. Click Export on the upper-right corner of the Security Analyzer pane to export all the vulnerabilities to a report.html file. You can view the graphical representation of all vulnerabilities for your resource in the exported file, as shown below:

    Graphical representation of vulnerabilities
    Graphical representation of vulnerabilities

Increasing the Security Analyzer timeout

You can increase the Security Analyzer timeout in the RDS Configuration settings.

The default is 30 seconds.

  1. Right click on the server or choose Windows > Show View > Other.
  2. Type RDS in the text field.

Additional setup configurations

Perform one of the following:

  • Open access to port 8500 using the Windows firewall.
  • Set up a virtual directory  for the site for /CFIDE in IIS and the uriworkermap.properties file for the given connector. In the file, remove the ! in front of /CFIDE/* = cfusion.

Workflow of Security Analyzer

  1. Security Analyzer is exposed as a service by the ColdFusion Server.
  2. By running Security Analyzer for a file or a set of files, the builder makes a request to this service.
  3. The builder displays the vulnerabilities in a separate view for each file, along with corresponding line numbers.
  4. You can double-click on the vulnerabilities and open the file in the editor window with cursor pointing at the corresponding line with a red icon.
  5. Also, by single click, you get a brief description about the attack and about possible ways to avoid it.
Workflow
Workflow

List of security vulnerabilities

As shown in the following sample code, the attacker can create arbitrary SQL statements to execute against the database by passing values into the url.id variable. For example, the attacker can pass a value of 1 DELETE FROM news to delete all news articles in the table or 0 UNION SELECT username, password FROM users to extract username and password values from the database.

<cfquery>

SELECT headline, story

FROM news

WHERE id = #url.id#

</cfquery>

Vulnerable scenarios

  • <cfquery name="SelectExample"

                datasource="cfdocexamples">

         select FROM Employee

         WHERE Emp_ID=#var#

      </cfquery>

  • <cfset result = QueryExecute("select * from Employees where empid=#id5#")>
  • <cfset v3="#form.vf#"><cfset employees = ORMExecuteQuery("from Employee where name=#v3#")>

All the above code samples use an unknown variable inside the query statement, which makes them vulnerable.

<cfoutput>Hello #url.name#</cfoutput>

Using the above code, the attacker can pass JavaScript into the url.name variable to be executed in the browser of anyone visiting the URL. Attackers also try to post XSS code that can be stored in a database and execute later. For example, posting a comment to display for all visitors of a page.

Vulnerable scenarios

  • <cfoutput>Hello #name2#</cfoutput>
  • <cfparam name = "id12" default = "my default value" type="string">
  • <cfoutput>#id12#</cfoutput>
    When a variable declared through cfparam is of type “string”, it is vulnerable code.
  • <cfoutput > <b>LINK to URL:</b> <a target="_blank" href="http://#url#">#url#</a> </cfoutput>
    As an unknown variable is used for the url link in the anchor tag, it is vulnerable to XSS attack.

The cfhtmltopdf tag, introduced in ColdFusion 11 provides powerful HTML rendering, powered by WebKit to produce PDF files. As the server renders the HTML, be cautious while using variables in the PDF document.

All preventative measures pertaining to cross site scripting also apply to variables written in the cfhtmltopdf tag. JavaScript can be executed during rendering, in the cfhtmltopdf tag.

Because the JavaScript would be executed on the server during rendering, the risks are different from a client side cross site scripting attack. Some of the risks include denial of service and potential exploit for unknown vulnerabilities in Webkit. In addition, there is a risk of bypassing the network firewall as the server can be behind a firewall with network access to other systems.

Vulnerable scenarios

  • <cfhtmltopdf>

<h1>Hello <cfoutput>#pf2#</cfoutput></h1>

</cfhtmltopdf>

  • <cfhtmltopdf>

 <h1>Hello <cfoutput>#url.name#</cfoutput></h1>

      </cfhtmltopdf>

  • <cfdocument format="PDF">

            <cfoutput>   #hello#

            </cfoutput>

            <cfdocumentitem type="header" >

            <cfoutput>#abc#</cfoutput>     

            </cfdocumentitem>

      </cfdocument>

Cross Site Request Forgeries (CSRF) vulnerabilities are exploited when an attacker can trick an authenticated user into clicking a URL, or by embedding a URL in a page requested by a user’s authenticated browser.

Vulnerable scenarios

  • <cfform method="POST">
       <cfinput type="submit" value="Make Administrator"/></cfform>

When CSRFGenerateToken() function is not used, the code is vulnerable.

  • <cfform method="POST">
    <cfinput type="hidden" name="token" value="#CSRFGenerateToken()#" />
    <cfinput type="submit" value="Make Administrator" />
    </cfform>

When there is no corresponding CSRFVerifyToken () function for CSRFGenerateToken   
function, the code is vulnerable.

  • <cfset var2 = CSRFGenerateToken2("make-admin")>

            <cfform method="POST"  action='/csrf/dummy.cfm'>

            <cfinput type="hidden" name="token" value="#var2#" />

            <cfinput type="submit" value="Make Administrator" />

            </cfform>

When there is no corresponding CSRFVerifyToken () function for CSRFGenerateToken
function  in the action page that is specified.

Avoid appending the session identifiers to the URL query string. End users email, or publish URLs without realizing their session identifier is in the url.

Vulnerable scenarios

  • <cflocation url="random.cfm" addtoken="true">

When the attribute “addtoken” is explicitly set to true.

  • <cflocation url="random.cfm">

When the “addtoken” is not specified, the default value of true is taken.

  • <cfset  addtoken1 = "true">

      <cflocation url="random.cfm" addtoken="#addtoken1#">

When a variable is used by “addtoken” attribute, which is set to true.

Cookies can contain sensitive information.

Vulnerable scenarios

  • <cfcookie name="sample" value="random" httponly="false" secure="false">

When both “httponly” and “secure” attributes are set to false explicitly, the code is vulnerable.

  • <cfcookie name="sample" value="random" httponly="true" secure="false">

When either of “httponly” and “secure” attributes is set to false explicitly, the code is vulnerable.

  • <cfcookie name="sample" value="random" >

When “httponly” and “secure” attributes are not set, default value of false is taken, making the code vulnerable.

Do not store passwords in plain text.

Vulnerable scenarios

  • <cfcache action="get" timespan="#createTimeSpan(0,0,10,0)#" password="pwd">
  • <cfset password = "abc">

<cfcache action="get" timespan="#createTimeSpan(0,0,10,0)#"                     password="#password#">

  • <cfhtmltopdf ownerpassword="#pw#" userpassword="abc"></cfhtmltopdf>

In all above scenarios, hardcoded passwords are used which makes the code vulnerable.

Whenever files are uploaded to the server, take extreme caution to ensure that you have properly validated the file path and file type.

Vulnerable scenarios

  • <cffile action = "upload" fileField = "FileContents"

destination = "c:\folder1\folder2" accept = "text/html"

nameConflict = "MakeUnique" strict="false">

  • <cffile action="upload" filefield="photo" accept="image/gif,image/png,image/jpg"

destination="#getTempDirectory()#" nameconflict="overwrite" strict="false">                 

  • <cffile action="uploadall" destination="#expandpath('./upload')#" accept="text/html" strict="false">

In the above scenarios, strict is explicitly set to false, hence making it vulnerable. Also when “getTempDirectory()” function is not used for destination, it throws a warning.

Do not send sensitive information over a GET method.

Vulnerable scenarios

  • <cfform method="get" action="sayHello.cfm">

    <cfinput name="userName" type="text" >

    <cfinput name="token" value="#CSRFGenerateToken()#" type="hidden" >

    <cfinput name="submit" value="Say Hello!!" type="submit" >

</cfform>

When method is explicitly set to “get”, the code is vulnerable.

  • <cfform action="sayHello.cfm">

    <cfinput name="userName" type="text" >

    <cfinput name="token" value="#CSRFGenerateToken("a")#" type="hidden" >

    <cfinput name="submit"  value="Say Hello!!" type="submit" >

</cfform>

When method is not set to any value, by default “get ” method is used.

<cfinclude template="views/#header#">

The above vulnerable sample code does not validate the value of the #header# variable before using it in a file path. An attacker can use the vulnerable code to read any file on the server that ColdFusion has access to. For example, by requesting ?header=../../server-config.txt the attacker can read a configuration file that is not meant to be public.

Vulnerable scenarios

  • <cfinclude template="constant/#somepath#">
  • <cffile action="write" file="#filevar2#">
  • <cfscript> myfile = DirectoryDelete(var); </cfscript>

In all of the above scenarios, an unknown variable is used for file path or directory path, so they are vulnerable. 

Adobe logo

Sign in to your account