Last week's Adobe ColdFusion security update disabled searchImplicitScopes by default. Prior to that update, and for the past twenty five years, ColdFusion would search through the all the possible scopes until it found a matching variable. As you can imagine this change caused quite a bit of work for ColdFusion developers who might have an unscoped variable or two in their applications. Many people had to set searchImplicitScopes=true while they update their code. Since this change impacts security, I thought it would make sense to add some new features to Fixinator, my CFML code security sca ..read more

Adobe has published a ColdFusion Security Hotfix APSB24-14 today which describes "a critical vulnerability that could lead to arbitrary file system read". One of the things you will want to take special note of in this hotfix is that a major change was made to how ColdFusion handles unscoped variables. According to the technote: Starting with this update, ColdFusion will default to searchimplicitscopes=FALSE and if a variable name is not prefixed with a scope identifier, an error is returned. What will break: This means that if you have some code like this: <cfoutput encodefor="html"> H ..read more

Last week security researchers from Project Discovery published details on three Lucee vulnerabilities: A Remote Code Execution (RCE) on isDefined, StructGet, Empty functions A RCE on CF_CLIENT cookie values A RCE on REST CFC requests, which was patched in 2023: CVE-2023-38693 The RCE on isDefined, StructGet, Empty functions Lucee Allows RCE when a variable can be passed to the isDefined, structGet or Empty functions. Here are some examples of what vulnerable code might look like: isDefined(url.x) isDefined("#url.x#") isDefined("url.#x#") The following code is not vulnerable because it doe ..read more

A few months ago I was on a mission to remove some of the old broken links on my blog. I started blogging back in 2002, so many of the sites that I linked to twenty years ago were no longer active, or no longer under the same ownership. I decided to start this task by weeding out any domains that no longer resolved over DNS. While I knew of a few traditional methods to query DNS, I thought this was a good chance to explore the DNS over HTTPS or DoH protocol. It is a fairly new standard for accessing DNS records over an encrypted https connection. The RFC (8484) was published in October of 2018 ..read more

I ran into a really strange problem today, whenever I would write a file it would show up as empty on my file system. Here's a simplified version of my code: var nl = chr(13); var csv = '"order_id","date"' & nl; csv &= '"1","2023-01-01"' & nl; fileWrite("/tmp/test.txt", csv); I would then go to my terminal and type: cat /tmp/test.txt And it would not output anything, it appeared to be an empty file! As a sanity check I added a throw statement to the end of my code which read the file content. var nl = chr(13); var csv = '"order_id","date"' & nl; csv &= '"1","2023-01-01 ..read more

The Adobe ColdFusion Summit is coming up in October. I will be speaking at the conference, and my company Foundeo is also one of the conference sponsors. As part of the sponsorship I have an extra entry ticket to CFSummit that I am going to give away to one random subscriber of the CFBreak ColdFusion Weekly Newsletter. All you have to do is subscribe to enter (see details). I hope to see you in Vegas ..read more

I'm back from Houston Texas after another great Into the Box conference. Slides for my talk Taming the top 25 Most Dangerous Software Weaknesses can be found here. For code samples I used my Bank of Insecurity repository which is full of security weaknesses ..read more

Today I needed to get the time that a file was created from within some CFML code. I had first thought that cfdirectory or directoryList would return this, but it only returns the date the a file was modified, not the date that it was created. My next thought was that getFileInfo must return this, but again it only returns the date that the file was last modified. Even java.io.File only returns the last modified date, not the date the file was created. The Solution The solution is to use Java's NIO (Native IO) file API, and more specifically the java.nio.file.attribute.BasicFileAttributes impl ..read more

I will be giving my talk Taming the Top 25 Most Dangerous Software Weaknesses (for ColdFusion Developers) next Tuesday, December 6th 2022 at 1pm US Eastern Time. You will need to register with Adobe to join, it's free. Adobe is repeating many of the talks from the in person ColdFusion Summit that took place in October, if you weren't able to make it - this is a great way to see the presentations. Finally, if you are interested in the topic of ColdFusion Security, there are still a few seats left in my ColdFusion Security Training Class taking place on December 13th and 14th ..read more

I've had a several people asking me about the openssl vulnerabilities that were patched this week: CVE-2022-3602 and CVE-2022-3786 aka Spooky SSL. ColdFusion / Lucee and OpenSSL As far as I know both ColdFusion and Lucee do not use openssl for any of its crypto operations by default. Both ColdFusion and Lucee use the Java Cryptographic Extension (JCE) layer which provides an api to access crypto algorithm implementations. Adobe ColdFusion Enterprise is using RSA BSafe CryptoJ provider, which has FIPS compliant implementations of many crypto algorithms. The standard version, and Lucee would lik ..read more