ColdFusion 10 WebSocket Vulnerability

July 2, 2013
Staff 98 posts
Followers: 9 people
8

ColdFusion 10 WebSocket Vulnerability

Staff 98 posts
Followers: 9 people
July 2, 2013

There have been a couple of posts describing the vulnerability using the websocket functionality in ColdFusion 10. The Adobe Product Security Incident Response Team (PSIRT) is aware of this issue and is actively engaged with the ColdFusion Product Team to release a fix. Adobe PSIRT is not aware of this issue being exploited in the wild.

There will be a new update released soon that directly prevents the ability to invoke non-remote methods on the CFC using Websockets.  

 

 

Comments (8)
2013-07-05 05:42:46
2013-07-05 05:42:46

Hmmm…

var _cf_tdrcfacade=ColdFusion.AjaxProxy.init(‘/cfusion/tdrc/tdrcfacade.cfc’,’jsobj’);

I guess you guys are putting your arse on the line to Guarantee that exposing CFC’s outside the webroot is a good idea.

Good luck with that.

Like
2013-07-04 14:13:07
2013-07-04 14:13:07

Awdhesh commented here yesterday but the comment has gone.

I have replied to it on my blog: http://cfmlblog.adamcameron.me/2013/07/response-to-comment-since-redacted-it.html

Like
2013-07-03 06:30:58
2013-07-03 06:30:58

Wow. Just wow.

When did it EVER seem like a good idea to expose CFC’s that live outside the webroot.

That’s messed up.

Like
2013-07-03 01:36:09
2013-07-03 01:36:09

Fair enough. I raised two issues for the other ones, but flagged them as “security” so I didn’t get the bug IDs and cannot see them. If they’ve not considered part of the security hole, can they be revised so they’re public so I can keep an eye on what you’re doing (or not doing 😉 with them? I created them y/day.


Adam

Like
2013-07-03 01:11:22
2013-07-03 01:11:22

@Aaron: Any action, if required, will come from PSIRT. I will post an update to this blog post if there is an announcement regarding this from PSIRT.

@Adam: Accessing public methods is the root cause. So the fix will most likely focus on addressing that.

Like
2013-07-03 00:35:48
2013-07-03 00:35:48

Hi Rakshith: that’s good news!

Can you please detail which of these issues you are dealing with:
* web socket requests can access public methods
* web socket requests can access non-web-browsable CFCs
* web socket requests do not trigger Application.cfc event handlers
* web socket requests error if a method have security roles specified

Cheers.


Adam

Like
2013-07-02 23:59:58
2013-07-02 23:59:58

And I assume making sure only CFC’s in the webroot can be invoked.

So Adobe. How do we protect ourselves? Whats the recommendation.

Like
2013-07-02 23:17:12
2013-07-02 23:17:12

[subscribe]

Like
Add your comment