Using a CFLOCATION with tokens breaks sessions when used on a different website on the same server
We host a web application which has multiple installations (multiple domains names) on the same server, it is all hosted by the same Cold Fusion Application Server instance.
Over time we have added new features which allow clients that have multiple domains login to both of the domains using a ‘passthrough key’ which allows them to click one button and it automatically passes them to the next site, which then looks up a secret key in the database confirms that i thas been less than a second and automatically sets up the users session. (this portion is vague because it doesn’t really matter what procedure we went through).
The issue comes up when we use a <CFLOCATION tag which directs the user from Domain A to the Domain B If we do not specify the addtoken=false, then the CFID=xxxx&CFTOKEN=xxxx are appended to the URL. The problem here is that the session from domain A is used for that first transfer page request, then any subsequent page requests (which do not have the CFID and CFTOKEN) will use the CFID / CFTOKEN which is setup for the Domain B . When this happens the session you setup for the transfer page request is gone.
Long story short, specify ADDTOKEN=false at the end of the CFLOCATION when moving from one domain to another.
ColdFusion: SQL Server – Cannot use empty object or column names. Use a single space if necessary
When upgrading from an OLD version of Coldfusion to a newer one. We would occassionally receive the message
Cannot use empty object or column names. Use a single space if necessary
This message seemed as though it came from an error sent back from the database but the database version did not change at all.
However CF changed their version of SQL Server driver as the progressed and made it more compliant. Basically they made it so that you could no longer use double quotes (“”) in order to enclose an empty string.
So the SQL query that may have worked before
select * from myusers where username <> “”
would need to become
select * from myusers where username <> ”
Coldfusion / PCI double null vulnerability – Addressed with apache rewriterule
Coldfusion 8 and before have a ‘double null’ vulnerability that comes up as a fail on Nessus PCI reports. (output below)
Basically, some one can embed some custom characters into the URL and drive an error which breaks Coldfusion
You can either upgrade Coldfusion (recommended) or you can put in place an Apache RewriteRule which prevents anyone from accessing your Coldfusion pages with the exploited URL.
RewriteRule %00 / [B,R]
Nessus Output before the error is corrected.
Application: https Port: 443 Protocol: tcp VATID: 40667 Synopsis : The remote web server has an information disclosure vulnerability. Description : The remote host is running a vulnerable version of ColdFusion on Apache. When requesting a non-ColdFusion file, appending a double-encoded null byte and an extension handled by ColdFusion (such as '.cfm') will display the contents of that file. A remote attacker could exploit this to view the source code of other files on the web server (e.g. PHP scripts), which may contain credentials or other sensitive information. This vulnerability is similar to CVE-2006-5858, which affected systems running ColdFusion on IIS. This vulnerability reportedly only affects systems running ColdFusion on Apache. See also : http://www.adobe.com/support/security/bulletins/apsb09-12.html Solution : Apply the relevant hotfix referenced in the vendor's advisory. CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 3.7 (CVSS2#E:U/RL:OF/RC:C) Public Exploit Available : false
Workaround Solution – Cold Fusion Transient Error – Invalid Method Signature Options
Occassionally I have run into a strange error which I could never duplicate.
It read something like
Invalid method signature: xxxxxx;)Ljava/lang/Object; null
with different values at xxxxx
I did a bunch of research into the problem and it seems that the end result is that there is a bug in ColdFusion 7 with the “evaluate()” function.
I was querying dynamically named queries and there appeared to be some sort of problem with the class files that were being written.
The solution was to uncheck the “Save Class Files” in the Cold Fusion Administrator, delete the /cfclasses directory and restart Cold Fusion.
Macromedia also said there was a fix released in ColdFusion 7.0.1. (you can find your ColdFusion version by following the simple instructions in Ben’s post )
Here are links to a forums with the some discussion of the error and the update.
Thanks for the help!
If your ISP has not upgraded to this version yet you can point them to Adobe’s website to get the update.