Tuesday 9 July 2013

Well done Adobe ColdFusion Team

G'day:
Hopefully you've heard there's a patch out for ColdFusion 10 (now version 10.0.11) for the web sockets security hole that Henry Ho noticed a week or so ago. I did some investigation on the issue, and identified four separate problems with the web sockets implementation on un-patched (10.0.10 and below) ColdFusion 10 installations.


The good news is that two of those four issues are fixed, and they are the two significant ones:
  • public CFC methods were callable via web sockets. Only remote methods ought to be externally accessible;
  • non-web-accessible CFCs were accessible via web socket requests, provided there was a ColdFusion mapping to them.
I've verified those are now fixed.

The other two issues were these:
  • web sockets requests do not invoke Application events, so Application.cfc event handlers do not fire. EG: they do not cause onRequestStart() or onCfcRequest() to run when a request is made;
  • CFC method role restrictions don't work with web socket requests. A roles-restricted method cannot be accessed, even if the current user has the requisite roles set.
I only noticed these two because I was trying to work out a work around for the former two serious issues. I think the latter two are not critical, so it's nae bother from my point that they've not been addressed.

I reckon Adobe got on the case really quickly with this, and have sorted the issue out.

Also noteworthy is 10.0.11 doesn't only include this fix, it addresses 50-odd other issues too. See full details of the tickets that were dealt with here.

The only glitch I have found with this updater thusfar is I can't seem to uninstall it via the updater UI. Previous updates deinstalled fine: just nothing happens when I try to deinstall this one.

In other news, there was also a new hotfix released for ColdFusion 9 today.

Note that the ColdFusion 10 fix is listed as "critical"; the CF9 one is "important".

As I said in the subject line: good work Adobe. And good on Henry Ho for reporting the web sockets one!

--
Adam