Target ColdFusion Template Gets Compiled Even If Not Executed
Posted October 2, 2007 at 8:28 AM by Ben Nadel
A while back, I had suggested a hack to get ColdFusion-based security on non-ColdFusion files by adding a ".cfm" file extension. Then, in the Application.cfc's OnRequest() event method, intercepting those file requests, checking security permissions, and streaming the requested files (using CFContent). Since the requested file was never being executed (only streamed), it never occurred to me that it would matter what type of file it was.
As Regs pointed out to me, this was an incorrect assumption. Apparently, the requested template gets compiled even if it is never executed. This can cause problems, as he points out, if the file contains ColdFusion-tag-like data that starts with "<cf". To test this, I set up a tiny application that never includes the requested file, but rather a default file. Here is the ColdFusion Application.cfc file:
- hint="Handles the application level events and application settings.">
- <!--- Define application settings. --->
- <cfset THIS.Name = "SecurityTest2" />
- <cfset THIS.ApplicationTimeout = CreateTimeSpan( 0, 0, 10, 0 ) />
- <cfset THIS.SessionManagement = false />
- <cfset THIS.SetClientCookies = false />
- <!--- Define page settings. --->
- hint="Fires after pre page processing is complete - when determining which template to ultimately execute.">
- <!--- Define arguments. --->
- Include the default page regardless of what page
- was actually requested.
- <cfinclude template="default.cfm" />
- <!--- Return out. --->
- <cfreturn />
Notice that default.cfm is included no matter what happens. This is just a simple HTML file. But, I am gonna put in a bunk index.cfm in that directory:
- asdlfj alksdf lkajdf lajlfj ald fladsfs
- adfj aldjflajsdf ajsdf asdf alsdflasdlfl
- adf adsfasdf asf<cfset adkfjasdlf asdf />
- ljlaj dlfjals dfljasd flajsdl fasjdlfj al
Notice the poorly formeed ColdFusion CFSet tag mixed in with the random characters. This is meant to simulate the random text that might show up in a secure file.
Ok, so when the index.cfm ColdFusion template is requested, what I assumed would happen is that the default.cfm template would be executed and everything would go smoothly. But, no; just at Regs pointed out, ColdFusion throws an error:
Invalid CFML construct found on line 3 at column 35. ColdFusion was looking at the following text: asdf The CFML compiler was processing: * a cfset tag beginning on line 3, column 18.
I don't like this behavior. It doesn't feel right. The whole point of a conditional CFInclude tag is that the file only gets executed if it actually gets included. This target page compilation goes against this idea, not to mention it makes my security hack totally unusable.
What Other People Are Searching For
Yeah, the hack is unusable. Unfortunately the best way to secure files is to move them out of webroot and then use:
<CFHTMLHEAD text="<title>Download #finalName#</title>" />
<CFHEADER NAME="content-disposition" VALUE="#theAction#; filename=#finalName#">
<CFCONTENT TYPE="#mimetype#" FILE="#downloadFile.file_name#" DELETEFILE="No">
It sucks, but it's not that bad. You could code up a system rather quickly and you'll never have to think about it again.
At CFUnited this year someone (New Atlanta, Microsoft?) showed how IIS8 can use any ISAPI application to handle IIS requests. I don't recall the exact details but I think one of the examples was for security of any file.
Yeah, agreed. Oh well.
I remember that, I think. Was that the presentation about tapping into the "request pipeline" at any point so that CF(BD) could reach in before IIS processes files or something. I vaguely remember it, but much of the presentation went way over my head as I am not very familiar with IIS at all.