Web socket security issue: risk assessment & findings

G'day:
Yesterday I engaged in some unrepentant shock tactics, writing an article entitled "Security warning: stop using ColdFusion web sockets right now". This warning arose from my initial investigations into an apparent significant security hole in web sockets, as reported by Henry Ho on Stack Overflow. I have checked into things more thoroughly, and here's the details of my findings.

Firstly, I have considered how responsible I am being by publishing this material. But I have concluded my readership is far less than Stack Overflow's, so the vulnerability is already public. Plus I think it would be helpful for people to know what they're up against. Plus - unabashedly - I hope the "publicity" will encourage Adobe to deal with this ASAP.

Threat summary

OK, so what's the story? Basically ColdFusion 10's web sockets have a couple of significant security failings, and some other unhelpful quirky behaviour as well.

CFML: Floating point bum-biting: Railo version (OpenBD just errored)

G'day
Just FYI (and because someone asked), these are the results of the code I used for last night's article on some floating point weirdness, when run on Railo. Code:

<cfoutput>
<cfif structKeyExists(server, "railo")>
    server.railo.version: #server.railo.version#<br>
<cfelse>
    server.coldFusion.productVersion: #server.coldFusion.productVersion#<br>
</cfif>
<hr>

<cfset theValue = 1.15>
<cfset theMultiplier = 100>
<cfset theDivisor = 5>
<cfset theProduct = theValue * theMultiplier>


Default<br>
#theProduct# % #theDivisor# = #theProduct % theDivisor#<br>
#theProduct# / #theDivisor# = #theProduct / theDivisor#<br>
#theProduct# \ #theDivisor# = #theProduct \ theDivisor#<br>
<hr>

Precision<br>
<cfset thePreciseProduct = precisionEvaluate(theValue * theMultiplier)>
#thePreciseProduct# % #theDivisor# = #thePreciseProduct % theDivisor#<br>
#thePreciseProduct# / #theDivisor# = #thePreciseProduct / theDivisor#<br>
#thePreciseProduct# \ #theDivisor# = #thePreciseProduct \ theDivisor#<br>
<hr>
</cfoutput>

Security warning: stop using ColdFusion web sockets right now

G'day:

Update:

This problem has been solved. Details here: Security bulletin (APSB13-19). Make sure to apply this fix if you're using WebSockets with ColdFusion. Thanks to Gary Stanton for passing this information on to me.

This is a bit irresponsible of me as I do agree that promulgating security issues is less than ideal... but this is already on Stack Overflow, so it's perhaps best to get it out there as much as possible now. Straight away.

Perennial ColdFusion community member Henry Ho raised this issue on Stack Overflow the other day. Initially I thought "[coughbullshit]", but I started to test it this morning and his fears were borne out.

I'm not going to go into details just now, but... he's right.

As I said I'm also not going to go into details of the extent of the problem, but if you are using ColdFusion web sockets... turn them off now. And then read Henry's Stack Overflow post and understand it. And if the situation doesn't apply to you, then perhaps consider re-enabling them, but make sure the rest of you API is secure first.

--
Adam

Floating point bum-biting

G'day:
I'll get back to bitching about ColdFusion 9's JSON shortcomings tomorrow. In the mean time, here's some "surprising" floating point inaccuracy weirdness. Well: it's predictable rather than weird, but I did go "WTF?" for a few min before I twigged.

ColdFusion vs JSON. How to make a developer cry

G'day:
In general on this blog, I've tried to steer clear of discussing what I'm currently doing at work, but I'm so pissed-off by all this, I have to share.

UnexpectedBuggy ColdFusion behaviour with CFML statements in <cfquery> tags

G'day:
This is just me editorialising on a bug that someone raised over night: 3585643. The gist of it is that - unexpectedly (?) - CFML statements involving variables which have embedded single quotes (eg: as apostrophes) in them have the single-quotes escaped even if the statement is nothing to do with the SQL string.

"Huh?" you said. Yeah, fair enough, lemme demonstrate:

Ruby: doing a second tutorial @ codeschool.com (cont'ed)

G'day:
You might recall a few weeks back I started doing the Ruby courses at Code School, and I was documenting my findings / experiences as I worked my way through the lessons. By the end of the second lesson my brain was fried and I realised a) I wasn't really taking it all in any more; b) my writing was just rubbish. So I broke off the last article halfway through, intending to revisit it the following day to complete it. As is often the case, I got distracted, and am only revisiting this now.

Just to recap, in the first part of this lesson I covered expressions, methods and classes, exceptions, and touched on ActiveSupport. All fascinating stuff. The balance of the lesson covers modules and blocks. These are pretty comprehensive topics, so there's a lot still to write-up.

CF Live

G'day:
Hey, in case you've not heard, Russ Michaels (who also runs CFMLDeveloper, who host my code) has launched a site "CF Live".

isValid(). Groan

G'day:
Some things (OKOK, most things...) just piss me off.

Is ColdFusion's REST implementation more verbose than it needs to be?

G'day:
I've been using some REST web services at work recently (CFML calling .NET ones; I'm just working on the CFML side of things, unfortunately), and also pottering around with ColdFusion 10's REST stuff at home occasionally. And then I wrote my "things I ain't researching" article, and one of the entries in that was to look more at CF's REST implementation more thoroughly, as well as Taffy and Relaxation. That in turn reminded me of a thread on Twitter in which Sean was denigrating ColdFusion 10's approach to REST, instead espousing a by-convention approach to things, or just in general not having the REST config alongside the code itself. I don't necessarily agree with him on the latter (I don't necessarily disagree, either!), but it's thought-provoking.

One thing that persisted in my mind is that it seems like there's a lot of horsing about making a method REST-callable, and after discussing a conventions-based approach with both Sean and separately with Adam Tuttle, I turned my mind to that.

God my writing is awful today, sorry. Slightly hungover. Bear with me.

OK, so here's a CFC and a method:

component {

    public string function greet(required string name) {
        return "G'day #arguments.name#!";
    }
}

The minimum I seem to be able to get away with to "RESTify" this is:

component rest=true {

    remote string function greet(required string name restargsource="query") httpmethod="get" {
        return "G'day #arguments.name#!";
    }
}

@CfmlNotifier now notifies of UPDATES to ColdFusion bugs

G'day:
I've hacked together some code which polls the Adobe Bugbase every six hours, and checks if any ColdFusion bugs have been updated. It will send out a Twitter update as per below for any updates it finds:

CfmlNotifier down and back up again

G'day:
I don't actually keep a close eye on the @CfmlNotifier Twitter feed, so sometimes don't notice when it goes down. This happens occasionally if the ColdFusion instance it runs on gets cycled, or [some other reason]. It's a hosted box to which I have no admin rights, so if it stops working, I just go [shrug] and reload its services: I don't attempt to get to the bottom of it. On the whole it just chugs along fine by itself.

A list of things I am not researching

G'day:

All of these things I am not investigating:

• PHP, despite it being a positive career move for me (strange, but true);
• Groovy & Grails despite Scott's brilliant presentation on the two;
• Angular.js despite Kurt's also brilliant presentation (Scott: you still win ;-), and John's equally good one at SotR;
• Ruby, and then Ruby on Rails despite starting some courses on them @ Code School, and actually paying fees to continue;
• oh, and Sinatra too, thanks to Matt piquing my interest;
• ColdFusion's REST implementation, as well as Adam Tuttle's Taffy and Chris Phillip's Relaxation, despite being quite interested in all three (the CF side of things as a baseline, and to see why people don't like it);
• ColdBox, even though I went to all the hassle of holding a survey which you lot helped me with to decide which framework to look at;
• FW/1 because in the process of doing so, I decided it sounded pretty good too;
• not really research, but I'm not finishing my ColdFusion bug-update notification project;
• Ember.js even though Paul's presentation at SotR made it look pretty bloody good, and something perhaps to focus on instead of Angular (if I have time for only one);
• ColdFusion 10's web sockets, despite promising someone I would, and starting some investigation into them;
• ColdFusion 10's new scheduler, even though it looks kinda cool (as far as schedulers can ;-);
• ColdFusion 10's EHCache integration even though it looks execellent too (thanks to Rob's presentation on it);
• submitting a fix for a bug in MXUnit I promised Marc Esher about six months ago, because I haven't got around to writing unit tests for it (and, come on, I can't submit a fix for MXUnit without unit testing it!);
• anything to do with mobile development. No, I'm not doing that either;
• node.js even though Sean recommended it to me as a good career-building option;
• oh, there's a bunch of other stuff too.

Why not? Because - f*** me - I don't know where to start! There's so much bloody interesting technology around and only about 18 hours in the day (eating, sleeping). Plus my blimin' life keeps getting in the road (case in point: I type this from the Wetherspoons @ LHR... the one at which I am beginning to recognise the staff, and they me...).

This article exists almost entirely to guilt-trip myself into doing something about all this. I've even got about a dozen blog articles underway on all this stuff. That weighs heavy too.

Argh!

Right. That feels better.

Have a good weekend.

--
Adam

Follow-up to "212 untriaged ColdFusion 10 bugs"

G'day:
I found myself discussing the mountain of untriaged ColdFusion 10 bugs again just now, and thought I might check out if any progress has been made on them. The good news is that the list is down from 212 to 183. At least it's moving in the right direction.

I lost the code I used to generate the bug table for the earlier article, so I've knocked it together again, and this time saved it as a gist:

I've also chucked it up on CFMLDeveloper. I'll augment it at some stage to accept different CF versions, etc. Or someone could update the Gist and let me know and I'll chuck the updated version up there.

This is not exactly the finest code in the world, but it's handy. I stated working on a bug-update-notifier thing ages ago, but never finished it. I should crack on with it, I guess.

Anyway, my lunch needs eating, so I'm off.

--
Adam

What do I want to see in ColdFusion 11?

G'day:
I'm suffering a bit from motivation paralysis at the moment... I'm not suffering writer's block: if anything the opposite, I've got about a dozen articles on the go at the moment. Or maybe that means I've got writer's block a dozen times over? Dunno.

Anyway, this is just an easy article to bang out: listing a bunch of stuff.

Scotch on the Rocks: recap

G'day:
I didn't do a daily update of SotR like I did at cf.Objective(), instead sending Twitter updates in "real time" as things occurred to me. So if you want to know my general thoughts of the sessions I attended, have a look through my Twitter history. I was a bit haphazard as to whether I had space to include a #sotr13 tag, but they should be easy to spot amongst the rugby / cricket / environmentalism (Rob Glover, I'm looking at you ;-) chatter. In summary of those later three: NZ lost the cricket (although won the series), won the rugby, and I withdrew (mostly in despair) from the environmentalism discussion.

What thoughts was I left with for Scotch on the Rocks? In no particular order:

Censorship on Adobe ColdFusion forums etc: resolved

G'day:
This is the final chapter in the ongoing story which started with an Adobe forum moderator making some questionable censorship decisions on a form thread I was trying to help on, and continued as Madison Murphy from Adobe worked with me towards a resolution.

ColdFusion / Railo WebSockets survey results

G'day:
I didn't get much interest in the "ColdFusion / Railo WebSockets: do you use 'em?" survey as mentioned in my article the other day. Not to worry. I think that speaks for itself in a way: plenty of people looked at the article, but not so many figured it was worth their while / interest in filling out the survey.

I only got 24 responses, but here's the breakdown of those I got.

Censorship on Adobe ColdFusion forums etc: follow-up from Adobe

G'day:
This is a follow-up to my post the other day about Adobe censoring a thread I was involved in on their ColdFusion forums. I've had a response from Madison Murphy from Adobe. Madison has been very helpful thusfar. She's agreed to let me publish her email below:

Censorship on Adobe ColdFusion forums - Open letter to the management of the Adobe ColdFusion forums

Open letter to the management of the Adobe ColdFusion forums
(I do not know how to contact you, but I will try to find out and send this to you directly as well, as a courtesy).

Update:
Adobe have been in touch with me regarding this.

Further Update:
This issue has now been resolved.