Tuesday, 2 July 2013

ColdFusion: WebSocket security issue: status update

Just a quick one. There's been some feedback from Adobe regarding this web sockets security issue. As a comment against that article, Awdhesh says:

We are working on it and the fix will be available in next updater for CF10.

So that's something. Although I'd prefer a more comprehensive answer from them, if I'm to be honest. I'd also like to know how this thing keeps happening now that they have a supposed "security czar". Perhaps after ColdFusion's reputation / behaviour in that area this year, Shilpi's been relieved of that role? Or perhaps - I suspect - it's just a lip service thing anyhow, so it really doesn't matter what Shilpi might have to say on the security or lack-thereof in ColdFusion.

Anyway: ante-up Adobe... what's the planned fix here?

I've raised four bugs, but unfortunately I cannot share the details with you because I raised them as "security issue", so I don't get given the bug number. The gist of them were as follows:

  • web sockets allow requests to public methods;
  • web sockets requests do not fire Application.cfc event handlers;
  • web sockets requests can request files outside the web root;
  • web sockets ignore CFC roles.
I'd like to know what's being done about all of these. I'd also quite like to know how it came to pass that these problems actually exist. It seems like Adobe must've implemented at least some of this by design.

Still: they're on the case. This is good news!