Sunday, 30 June 2013

Web socket security issue: risk assessment & findings

Yesterday I engaged in some unrepentant shock tactics, writing an article entitled "Security warning: stop using ColdFusion web sockets right now". This warning arose from my initial investigations into an apparent significant security hole in web sockets, as reported by Henry Ho on Stack Overflow. I have checked into things more thoroughly, and here's the details of my findings.

Firstly, I have considered how responsible I am being by publishing this material. But I have concluded my readership is far less than Stack Overflow's, so the vulnerability is already public. Plus I think it would be helpful for people to know what they're up against. Plus - unabashedly - I hope the "publicity" will encourage Adobe to deal with this ASAP.

Threat summary

OK, so what's the story? Basically ColdFusion 10's web sockets have a couple of significant security failings, and some other unhelpful quirky behaviour as well.

Saturday, 29 June 2013

CFML: Floating point bum-biting: Railo version (OpenBD just errored)

Just FYI (and because someone asked), these are the results of the code I used for last night's article on some floating point weirdness, when run on Railo. Code:

<cfif structKeyExists(server, "railo")>
    server.railo.version: #server.railo.version#<br>
    server.coldFusion.productVersion: #server.coldFusion.productVersion#<br>

<cfset theValue = 1.15>
<cfset theMultiplier = 100>
<cfset theDivisor = 5>
<cfset theProduct = theValue * theMultiplier>

#theProduct# % #theDivisor# = #theProduct % theDivisor#<br>
#theProduct# / #theDivisor# = #theProduct / theDivisor#<br>
#theProduct# \ #theDivisor# = #theProduct \ theDivisor#<br>

<cfset thePreciseProduct = precisionEvaluate(theValue * theMultiplier)>
#thePreciseProduct# % #theDivisor# = #thePreciseProduct % theDivisor#<br>
#thePreciseProduct# / #theDivisor# = #thePreciseProduct / theDivisor#<br>
#thePreciseProduct# \ #theDivisor# = #thePreciseProduct \ theDivisor#<br>

Security warning: stop using ColdFusion web sockets right now



This problem has been solved. Details here: Security bulletin (APSB13-19). Make sure to apply this fix if you're using WebSockets with ColdFusion. Thanks to Gary Stanton for passing this information on to me.

This is a bit irresponsible of me as I do agree that promulgating security issues is less than ideal... but this is already on Stack Overflow, so it's perhaps best to get it out there as much as possible now. Straight away.

Perennial ColdFusion community member Henry Ho raised this issue on Stack Overflow the other day. Initially I thought "[coughbullshit]", but I started to test it this morning and his fears were borne out.

I'm not going to go into details just now, but... he's right.

As I said I'm also not going to go into details of the extent of the problem, but if you are using ColdFusion web sockets... turn them off now. And then read Henry's Stack Overflow post and understand it. And if the situation doesn't apply to you, then perhaps consider re-enabling them, but make sure the rest of you API is secure first.


Friday, 28 June 2013

Floating point bum-biting

I'll get back to bitching about ColdFusion 9's JSON shortcomings tomorrow. In the mean time, here's some "surprising" floating point inaccuracy weirdness. Well: it's predictable rather than weird, but I did go "WTF?" for a few min before I twigged.

ColdFusion vs JSON. How to make a developer cry

In general on this blog, I've tried to steer clear of discussing what I'm currently doing at work, but I'm so pissed-off by all this, I have to share.

Thursday, 27 June 2013

UnexpectedBuggy ColdFusion behaviour with CFML statements in <cfquery> tags

This is just me editorialising on a bug that someone raised over night: 3585643. The gist of it is that - unexpectedly (?) - CFML statements involving variables which have embedded single quotes (eg: as apostrophes) in them have the single-quotes escaped even if the statement is nothing to do with the SQL string.

"Huh?" you said. Yeah, fair enough, lemme demonstrate:

Tuesday, 25 June 2013

Ruby: doing a second tutorial @ (cont'ed)

You might recall a few weeks back I started doing the Ruby courses at Code School, and I was documenting my findings / experiences as I worked my way through the lessons. By the end of the second lesson my brain was fried and I realised a) I wasn't really taking it all in any more; b) my writing was just rubbish. So I broke off the last article halfway through, intending to revisit it the following day to complete it. As is often the case, I got distracted, and am only revisiting this now.

Just to recap, in the first part of this lesson I covered expressions, methods and classes, exceptions, and touched on ActiveSupport. All fascinating stuff. The balance of the lesson covers modules and blocks. These are pretty comprehensive topics, so there's a lot still to write-up.

Thursday, 20 June 2013

CF Live

Hey, in case you've not heard, Russ Michaels (who also runs CFMLDeveloper, who host my code) has launched a site "CF Live".

isValid(). Groan

Some things (OKOK, most things...) just piss me off.

Is ColdFusion's REST implementation more verbose than it needs to be?

I've been using some REST web services at work recently (CFML calling .NET ones; I'm just working on the CFML side of things, unfortunately), and also pottering around with ColdFusion 10's REST stuff at home occasionally. And then I wrote my "things I ain't researching" article, and one of the entries in that was to look more at CF's REST implementation more thoroughly, as well as Taffy and Relaxation. That in turn reminded me of a thread on Twitter in which Sean was denigrating ColdFusion 10's approach to REST, instead espousing a by-convention approach to things, or just in general not having the REST config alongside the code itself. I don't necessarily agree with him on the latter (I don't necessarily disagree, either!), but it's thought-provoking.

One thing that persisted in my mind is that it seems like there's a lot of horsing about making a method REST-callable, and after discussing a conventions-based approach with both Sean and separately with Adam Tuttle, I turned my mind to that.

God my writing is awful today, sorry. Slightly hungover. Bear with me.

OK, so here's a CFC and a method:

component {

    public string function greet(required string name) {
        return "G'day!";

The minimum I seem to be able to get away with to "RESTify" this is:

component rest=true {

    remote string function greet(required string name restargsource="query") httpmethod="get" {
        return "G'day!";

Wednesday, 19 June 2013

@CfmlNotifier now notifies of UPDATES to ColdFusion bugs

I've hacked together some code which polls the Adobe Bugbase every six hours, and checks if any ColdFusion bugs have been updated. It will send out a Twitter update as per below for any updates it finds:

Tuesday, 18 June 2013

CfmlNotifier down and back up again

I don't actually keep a close eye on the @CfmlNotifier Twitter feed, so sometimes don't notice when it goes down. This happens occasionally if the ColdFusion instance it runs on gets cycled, or [some other reason]. It's a hosted box to which I have no admin rights, so if it stops working, I just go [shrug] and reload its services: I don't attempt to get to the bottom of it. On the whole it just chugs along fine by itself.

Friday, 14 June 2013

A list of things I am not researching

All of these things I am not investigating:

Follow-up to "212 untriaged ColdFusion 10 bugs"

I found myself discussing the mountain of untriaged ColdFusion 10 bugs again just now, and thought I might check out if any progress has been made on them. The good news is that the list is down from 212 to 183. At least it's moving in the right direction.

I lost the code I used to generate the bug table for the earlier article, so I've knocked it together again, and this time saved it as a gist:

I've also chucked it up on CFMLDeveloper. I'll augment it at some stage to accept different CF versions, etc. Or someone could update the Gist and let me know and I'll chuck the updated version up there.

This is not exactly the finest code in the world, but it's handy. I stated working on a bug-update-notifier thing ages ago, but never finished it. I should crack on with it, I guess.

Anyway, my lunch needs eating, so I'm off.


Thursday, 13 June 2013

What do I want to see in ColdFusion 11?

I'm suffering a bit from motivation paralysis at the moment... I'm not suffering writer's block: if anything the opposite, I've got about a dozen articles on the go at the moment. Or maybe that means I've got writer's block a dozen times over? Dunno.

Anyway, this is just an easy article to bang out: listing a bunch of stuff.

Saturday, 8 June 2013

Scotch on the Rocks: recap

I didn't do a daily update of SotR like I did at cf.Objective(), instead sending Twitter updates in "real time" as things occurred to me. So if you want to know my general thoughts of the sessions I attended, have a look through my Twitter history. I was a bit haphazard as to whether I had space to include a #sotr13 tag, but they should be easy to spot amongst the rugby / cricket / environmentalism (Rob Glover, I'm looking at you ;-) chatter. In summary of those later three: NZ lost the cricket (although won the series), won the rugby, and I withdrew (mostly in despair) from the environmentalism discussion.

What thoughts was I left with for Scotch on the Rocks? In no particular order:

Wednesday, 5 June 2013

Censorship on Adobe ColdFusion forums etc: resolved

This is the final chapter in the ongoing story which started with an Adobe forum moderator making some questionable censorship decisions on a form thread I was trying to help on, and continued as Madison Murphy from Adobe worked with me towards a resolution.

ColdFusion / Railo WebSockets survey results

I didn't get much interest in the "ColdFusion / Railo WebSockets: do you use 'em?" survey as mentioned in my article the other day. Not to worry. I think that speaks for itself in a way: plenty of people looked at the article, but not so many figured it was worth their while / interest in filling out the survey.

I only got 24 responses, but here's the breakdown of those I got.

Monday, 3 June 2013

Censorship on Adobe ColdFusion forums etc: follow-up from Adobe

This is a follow-up to my post the other day about Adobe censoring a thread I was involved in on their ColdFusion forums. I've had a response from Madison Murphy from Adobe. Madison has been very helpful thusfar. She's agreed to let me publish her email below:

Saturday, 1 June 2013

Censorship on Adobe ColdFusion forums - Open letter to the management of the Adobe ColdFusion forums

Open letter to the management of the Adobe ColdFusion forums
(I do not know how to contact you, but I will try to find out and send this to you directly as well, as a courtesy).