Saturday, 29 June 2013

Security warning: stop using ColdFusion web sockets right now

G'day:

Update:

This problem has been solved. Details here: Security bulletin (APSB13-19). Make sure to apply this fix if you're using WebSockets with ColdFusion. Thanks to Gary Stanton for passing this information on to me.

This is a bit irresponsible of me as I do agree that promulgating security issues is less than ideal... but this is already on Stack Overflow, so it's perhaps best to get it out there as much as possible now. Straight away.

Perennial ColdFusion community member Henry Ho raised this issue on Stack Overflow the other day. Initially I thought "[coughbullshit]", but I started to test it this morning and his fears were borne out.

I'm not going to go into details just now, but... he's right.

As I said I'm also not going to go into details of the extent of the problem, but if you are using ColdFusion web sockets... turn them off now. And then read Henry's Stack Overflow post and understand it. And if the situation doesn't apply to you, then perhaps consider re-enabling them, but make sure the rest of you API is secure first.

--
Adam