What is CF injection?

[Alexander Bunkenburg]

Hello people

We are doing a security revision of our application, with the help of some
consultants. They alerted us to the risc of ColdFusion injection. Having
searched the web, I ask: What is CF injection?

In analogy with "SQL injecton" and "JavaScript injection" (also known as XSS,
Cross-Site-Scripting), CF injection would be the user sending some string to
the server (as URL parameter or Form parameter, or in some other way), and the
CF server executing that string as CF code.


0) Injection of CF tags

The consultants submit the following string in a form

<cffile action="write" file="C:\text.txt" output="Hola guapo!">

for example, and then check whether it has executed.

However --- as far as I know --- there is no way a string submitted in a form
can become executed as CF-tag.

Or is there?


1) Injection of CF expressions

I know that with the function Evaluate, a string submitted in a Form can
become executed in the server. For example if I submit

GetPageContext()

and the action page has

<cfset x = Evaluate(Form.field)>.

But the function Evaluate has so much risc that our coding standards already
forbid it. :-)

Do other possibilities of CF injection occur to you?

Thanks,
Alex

--
Alexander Bunkenburg
[url]www.inspiraci?.com[/url]
N 41?22.929' E 2?08.335' 51m

[Stefan K.]

The only time I ever heard of injection is "PHP-injection" or "SQL-injection",
but always related to PHP.
What I think it means is the possiblity to enter text in Forms which is
constructed to manipulate the SQL used to enter the form-data to DB.
The typical issue would be not to double single-quotes in text-variables (not
escaping them from SQL.string). This gives hand to manipulating the SQL-query
in all ways one can think of.
Since CF automatically doubles single-quotes when values are outputted within
cfQuery, this is no issue in CF.
(Don't get me started on the above functionality, anyone feel like discussing
it, pls mail me.)

My interpretation was that in PHP, many open-source forums/CMS are used cause
they are for free.
Thus many developers know the application rather well and can take advantage
of such a weakness.

Conclusion:
I never heard of the issue with CF, only with PHP/SQL.
So I'd guess the consultant had no real idea what he was talking about and was
just trying to appear worthy of his money ;-).
Ask him what exactly he ment by this and try to get something technical or
even just a link where the issue is described concerning CF and he'll probably
have to forfeit.

Please post here if you find out more.
Stefan K.

[Stefan K.]

Actually, only SQL-injection is the one I really know about.
PHP-injection would probably be the posting of text which can be executed as
PHP-code. Not possible in CF, hopefully not in PHP.

XSS, Cross-Site-Scripting I know of. Never heard it called
Javascript-injection, but the term injection seems to be used for anything
people have no clue about. :-)

[MattRobertson]

Kind of sounds like your consultants should hire a consultant... or take a
class :-)

Seriously; they probably mean something else. Get a clarification. Do you
use cfqueryparam religiously on all selects, inserts, updates and deletes? If
so that takes care of SQL injection.

Do you scrub all variables that are transmitted insecurely (i.e. url vars)
which are used for things other than a SQL statement?

Honestly I have found so many users have software that screws with
cgi.http_referer that I often don't bother testing for it. Instead I look to
the data itself and validate it, build in tattlers if I get too many submits
etc.

--Matt--
MSB Designs, Inc. [url]http://mysecretbase.com[/url]
The soul would have no rainbow had the eyes no tears.
- Today's Fortune

[Stefan K.]

Originally posted by: MattRobertsonDo you use cfqueryparam religiously on all
selects, inserts, updates and deletes? If so that takes care of SQL injection.

IMHO SQL-injection is taken care of even without usage of cfqueryparam, for CF
doubles any single-quotes inside a variable if the variable is outputted within
a cfQuery.
But using it or not is a matter of personal preference.

Other then that, I'm glad Matt thought the same what I did, the consultant
tried to look smart and knowing.

[MattRobertson]

Stefan,

As much as I hate to disagree with someone agreeing with me ( :D ) you'll be
hard pressed to find any experienced CF developers who agree with that
position. Cfqueryparam has been a recommended MM best practice for some time,
and you'll find copious amounts of articles and posts out there explaining why.
Yes it makes your SQL butt-ugly, and involves a lot more typing, but you get
used to that and if you use it you can kiss goodbye the threat of sql injection
via the use of this one tool.

Cheers,

--Matt--
MSB Designs, Inc. [url]http://mysecretbase.com[/url]
The only thing more accurate than incoming enemy fire is incoming friendly
fire.
- Murphy's 13th Military Law

[Stefan K.]

Hello Matt

Thank you for your kind advice.
But I can ashure you that I looked at the issue very closely.
The articles you mention probably cover something like:
[url]http://www.macromedia.com/devnet/security/security_zone/asb99-04.html[/url]
But as stated there, SQL-injection in CF is only possible with numeric values,
and there I prefer Val() over <cfQueryParam>.

On addition, cfQueryParam uses parameter-binding.
Which very effectively makes the use of almost any advanced T-SQL queries
impossible, at least that was what my attempts to rewrite queries with
cfQueryParam resulted in.

So basically, even Macromedia states that Val() with numeric values covers the
security problem and I like to write gigantic & complex queries ;).

Kind regards
Stefan K.