Showing posts with label WebSockets. Show all posts
Showing posts with label WebSockets. Show all posts

Tuesday 9 July 2013

Well done Adobe ColdFusion Team

G'day:
Hopefully you've heard there's a patch out for ColdFusion 10 (now version 10.0.11) for the web sockets security hole that Henry Ho noticed a week or so ago. I did some investigation on the issue, and identified four separate problems with the web sockets implementation on un-patched (10.0.10 and below) ColdFusion 10 installations.


The good news is that two of those four issues are fixed, and they are the two significant ones:
  • public CFC methods were callable via web sockets. Only remote methods ought to be externally accessible;
  • non-web-accessible CFCs were accessible via web socket requests, provided there was a ColdFusion mapping to them.
I've verified those are now fixed.

Wednesday 3 July 2013

Official confirmation: Adobe is on the case regarding ColdFusion 10's web sockets security issue

G'day:
SSIA, really. But you know me: I can pad 14 words of information out to take 1400 words to say...

This is in reference to the security holes that were discovered in ColdFusion 10's web sockets implementation a few days ago, as I discussed in an earlier article: "Web socket security issue: risk assessment & findings".

Rakshith posted on Twitter & on the Adobe ColdFusion blog today that a fix is in the pipeline. He does not go into any details as to whether they're fixing all the issues identified, or some, or what: I guess time will tell.

However I'm pretty impressed with their turn-around time on this one. Henry raised the issue on June 27, and it's only a week later and they're got a patch in the works (I presume it's well under way, not that they were simply starting it when Rakshith announced it).

I look forward to testing it, and I will feedback with my findings having done so.

Not bad: only 180-odd words to re-articulate the necessary 14 ;-)

--
Adam

Tuesday 2 July 2013

ColdFusion: WebSocket security issue: status update

G'day:
Just a quick one. There's been some feedback from Adobe regarding this web sockets security issue. As a comment against that article, Awdhesh says:

We are working on it and the fix will be available in next updater for CF10.

Sunday 30 June 2013

Web socket security issue: risk assessment & findings

G'day:
Yesterday I engaged in some unrepentant shock tactics, writing an article entitled "Security warning: stop using ColdFusion web sockets right now". This warning arose from my initial investigations into an apparent significant security hole in web sockets, as reported by Henry Ho on Stack Overflow. I have checked into things more thoroughly, and here's the details of my findings.

Firstly, I have considered how responsible I am being by publishing this material. But I have concluded my readership is far less than Stack Overflow's, so the vulnerability is already public. Plus I think it would be helpful for people to know what they're up against. Plus - unabashedly - I hope the "publicity" will encourage Adobe to deal with this ASAP.

Threat summary

OK, so what's the story? Basically ColdFusion 10's web sockets have a couple of significant security failings, and some other unhelpful quirky behaviour as well.

Saturday 29 June 2013

Security warning: stop using ColdFusion web sockets right now

G'day:

Update:

This problem has been solved. Details here: Security bulletin (APSB13-19). Make sure to apply this fix if you're using WebSockets with ColdFusion. Thanks to Gary Stanton for passing this information on to me.

This is a bit irresponsible of me as I do agree that promulgating security issues is less than ideal... but this is already on Stack Overflow, so it's perhaps best to get it out there as much as possible now. Straight away.

Perennial ColdFusion community member Henry Ho raised this issue on Stack Overflow the other day. Initially I thought "[coughbullshit]", but I started to test it this morning and his fears were borne out.

I'm not going to go into details just now, but... he's right.

As I said I'm also not going to go into details of the extent of the problem, but if you are using ColdFusion web sockets... turn them off now. And then read Henry's Stack Overflow post and understand it. And if the situation doesn't apply to you, then perhaps consider re-enabling them, but make sure the rest of you API is secure first.

--
Adam

Wednesday 5 June 2013

ColdFusion / Railo WebSockets survey results

G'day:
I didn't get much interest in the "ColdFusion / Railo WebSockets: do you use 'em?" survey as mentioned in my article the other day. Not to worry. I think that speaks for itself in a way: plenty of people looked at the article, but not so many figured it was worth their while / interest in filling out the survey.

I only got 24 responses, but here's the breakdown of those I got.