Hopefully you've heard there's a patch out for ColdFusion 10 (now version 10.0.11) for the web sockets security hole that Henry Ho noticed a week or so ago. I did some investigation on the issue, and identified four separate problems with the web sockets implementation on un-patched (10.0.10 and below) ColdFusion 10 installations.
The good news is that two of those four issues are fixed, and they are the two significant ones:
- public CFC methods were callable via web sockets. Only remote methods ought to be externally accessible;
- non-web-accessible CFCs were accessible via web socket requests, provided there was a ColdFusion mapping to them.
The other two issues were these:
- web sockets requests do not invoke Application events, so Application.cfc event handlers do not fire. EG: they do not cause onRequestStart() or onCfcRequest() to run when a request is made;
- CFC method role restrictions don't work with web socket requests. A roles-restricted method cannot be accessed, even if the current user has the requisite roles set.
I reckon Adobe got on the case really quickly with this, and have sorted the issue out.
Also noteworthy is 10.0.11 doesn't only include this fix, it addresses 50-odd other issues too. See full details of the tickets that were dealt with here.
The only glitch I have found with this updater thusfar is I can't seem to uninstall it via the updater UI. Previous updates deinstalled fine: just nothing happens when I try to deinstall this one.
In other news, there was also a new hotfix released for ColdFusion 9 today.
Note that the ColdFusion 10 fix is listed as "critical"; the CF9 one is "important".
As I said in the subject line: good work Adobe. And good on Henry Ho for reporting the web sockets one!
--
Adam
