5

As we already know that the URL and FORM scope variables can be modified using external proxy tools.

For example if someone makes a request like this - http:\\website\index.cfm?a=1&b=2

This way one can add values to URL scope of a .cfm page.

Similarly is there any way to add/alter value to request scope in ColdFusion without it being set in code explicitly.

I am asking this because we have a code like this in one of CFM page.

<cfset request.uploadFileDir = application.fileDir & "\upload" />
<cffile action="upload" accept="application/pdf" destination="#REQUEST.uploadFileDir#" filefield="brochure" nameconflict="makeunique"/>

The security team is saying that the above code is vulnerable because REQUEST scope in JAVA can be tampered/altered by external proxy tools. And since ColdFusion is build on JAVA, ColdFusion's REQUESTcan also be tampered by external proxy tools. Is this a right assumption? Is JAVA and ColdFusion REQUEST scope same?

And finally the main question - Is there any way an external request to the page mentioned above in the example, modify the REQUEST scope or to be more precise REQUEST.uploadFileDir variable?

Yojimbo
  • 23,288
  • 5
  • 44
  • 48
Pankaj
  • 1,731
  • 1
  • 13
  • 15
  • 3
    What part of a java `request` do they say can be tampered with? With jsp/servlets, I get the impression there's two parts of the `request` scope: get/setParameter() and get/SetAttribute(). The "parameters" are more like the URL scope, and like you said, can be modified. Whereas "attributes" are local server variables and can't be modified AFAIK. https://stackoverflow.com/a/5243798/8895292 – SOS Feb 15 '18 at 20:02
  • 2
    My opinion is that request scope variables can only be defined and assigned values in the programming code. That means they can't be altered directly. However, if you are assigning a value from the form or url scope, then they can be indirectly altered. In your case, look at how `REQUEST.uploadFileDir` receives it's value. – Dan Bracuk Feb 15 '18 at 20:44
  • 1
    Attackers using scope injection can potentially pass in variables from the url or form. Pete Freitag has a short writeup on how this is accomplished here and how to mitigate the threat: https://www.petefreitag.com/item/834.cfm – beloitdavisja Feb 15 '18 at 20:52
  • 1
    "Whereas "attributes" are local server variables " ... so CF's request scope is more akin to "attributes", and can only be modified on the server. So as long as `application.fileDir` doesn't use client supplied values (like hard coded string, etc...) it's safe. – SOS Feb 15 '18 at 20:57
  • @Ageax I guess they are saying about "parameters". In ColdFusion you retrieve them by using "URL" (to get Query Strings) and "FORM" (to retrieve POST data) scopes. Based on the link you provided it seems like "REQUEST" scope in ColdFusion is more like "ATTRIBUTE" in JAVA and that it cannot be modified. Thanks for providing initial reference. – Pankaj Feb 15 '18 at 21:02
  • @DanBracuk That seems like an answer. `REQUEST.uploadFileDir` is not using any URL or FORM scope variables for setting it's value. Only application scope is being used to set it. So it cannot be modified by any proxy tool or request to the page. You can post it as answer. – Pankaj Feb 15 '18 at 21:06
  • @Pankaj - Oops, I misread your comment. Yes, what I was saying is CF's "request" scope is like `request.get/setAttributes()` and can't be modified outside the server (other than indirectly as Dan mentioned later). CF's URL/FORM is like request.get/setParameters. You can also run some tests to see the behavior yourself using a JSP page: helpx.adobe.com/coldfusion/developing-applications/ – SOS Feb 15 '18 at 21:32

2 Answers2

5

(Promoting this from comments so the references are easier to find.)

What part of a java request do they say can be tampered with? With jsp/servlets, there seem to be 2 parts of the Request scope:

  • Parameters - request.get/setParameter()

    Java's request "Parameters" are more like ColdFusion's URL and FORM scopes, and like you said, those can be modified by the client or external tools. That's probably what they're thinking of when they talk about client tampering.

  • Attributes - request.get/setAttribute()

    "Attributes" are local server variables which can't be modified outside the server. CF's "request" scope is more akin to this. It can only be modified on the server, AFAIK. (Obviously, it can still be manipulated indirectly as Dan said).

If you're curious, run some tests on your DEV server using a .jsp and .cfm script to see how java's "Request" scope differs from ColdFusion's.

TL;DR;

I think they're wrong. ColdFusion's "Request" scope is not the same as Java's.

Community
  • 1
  • 1
SOS
  • 6,430
  • 2
  • 11
  • 29
  • Thanks for clarifying the two questions related to JAVA. I am voting this as it answers two of my questions. But since the main question was answered by Dan I am marking it as answer. Really wish I could have option to mark you both as answer since both address the questions partly. – Pankaj Feb 16 '18 at 09:48
  • Glad it helped. – SOS Feb 20 '18 at 00:38
3

Transferred from comments with the blessing of the OP.

My opinion is that request scope variables can only be defined and assigned values in the programming code. That means they can't be altered directly. However, if you are assigning a value from the form or url scope, then they can be indirectly altered. In your case, look at how REQUEST.uploadFileDir receives it's value.

More info.

The request scope is available to any programming file used in the page request, such as the actual page, included files, and custom tags, here is an example that can be altered.

request.foo = url.foo;

Here is an example that can't.

if (this is a development ColdFusion enviornment)
request.dsn = "development database";
else
request.dsn = "production database";

There is a time and place for everything. Most of my work does not use the request scope. One application does.

Dan Bracuk
  • 20,699
  • 4
  • 26
  • 43