ColdFusion 10 WebSocket Vulnerability

There have been a couple of posts describing the vulnerability using the websocket functionality in ColdFusion 10. The Adobe Product Security Incident Response Team (PSIRT) is aware of this issue and is actively engaged with the ColdFusion Product Team to release a fix. Adobe PSIRT is not aware of this issue being exploited in the wild.

There will be a new update released soon that directly prevents the ability to invoke non-remote methods on the CFC using Websockets.  



8 Responses

  1. Hi Rakshith: that’s good news!

    Can you please detail which of these issues you are dealing with:
    * web socket requests can access public methods
    * web socket requests can access non-web-browsable CFCs
    * web socket requests do not trigger Application.cfc event handlers
    * web socket requests error if a method have security roles specified



  2. @Aaron: Any action, if required, will come from PSIRT. I will post an update to this blog post if there is an announcement regarding this from PSIRT.

    @Adam: Accessing public methods is the root cause. So the fix will most likely focus on addressing that.

  3. Fair enough. I raised two issues for the other ones, but flagged them as “security” so I didn’t get the bug IDs and cannot see them. If they’ve not considered part of the security hole, can they be revised so they’re public so I can keep an eye on what you’re doing (or not doing 😉 with them? I created them y/day.


  4. Hmmm…

    var _cf_tdrcfacade=ColdFusion.AjaxProxy.init(‘/cfusion/tdrc/tdrcfacade.cfc’,’jsobj’);

    I guess you guys are putting your arse on the line to Guarantee that exposing CFC’s outside the webroot is a good idea.

    Good luck with that.

Leave a reply