Evaluate Remote Code Execution (RCE)
ColdFusion Security Guide
evaluate()
function in CFML can lead to remote code execution attacks. Understand what they are and how to prevent them in this guide.
The Risk
A remote code execution vulnerability allows an attacker to cause code of their own choosing to execute on your ColdFusion or CFML server.
This type of attack is just as bad as it sounds, it is a critical vulnerability that should be among your highest priority to mitigate.
A Vulnerable Example
evaluate("form.#name#");
If an attacker can manipulate the value of the #name#
variable, then remote code execution is possible.
An Evaluate Example That Is NOT Vulnerable
for (var i=0;i<10;i++) {
checkbox_value = evaluate("form.checkbox_#int(i)#");
}
Not all calls to evaluate are vulnerable to remote
code execution. If the string that is being evaluated
contains a variable that can be tainted, then it is vulnerable. In the above example we know the value of i
is always an integer so it is not vulnerable.
Mitigating Evaluate RCE in CFML
Search your code for the evaluate()
function and the precisionEvalute
function and replace with a more secure construct.
Mitigating Dynamic Variable Access with Bracket Notation
Our vulnerable example:
evaluate("form.#name#")
Can easily be written using structure bracket notation. Instead of using evaluate to dynamically access the value of the form field, we can instead write the code as:
form[name]
If you code looks more like this:
evaluate("form.checkbox_#name#")
It can be written in CFML struct notation as:
form["checkbox_#name#"]
Mitigating Dynamic Query Access with Bracket Notation
Another common place we see evaluate is to reference a query column name dynamically, for example
evaluate("myQuery.#columnName#")
Such code can be rewritten using bracket notation as:
myQuery["colName#i#"][myQuery.currentRow]
Mitigating Dynamic Method Invocation Evaluate Calls
The third common way that evaluate is used is to invoke a CFC function dynamically, for example:
evaluate("cfcInstance.get#name#()")
As of ColdFusion 10 we can use the invoke()
function to dynamically invoke a function thats name is a variable:
invoke(cfcInstance, "get#name#");
You can also use the cfinvoke
tag:
<cfinvoke component="#cfcInstance#" method="get#name#">
Fixinator
Fixinator can find evaluate remote code execution vulnerabilities within your CFML or ColdFusion source code. In most cases it can even fix a ColdFusion evaluate security vulnerability for you by using bracket notation.
Learn MoreFuseGuard
FuseGuard is a web application firewall can detect some forms of CFML remote code execution attempts. Always fix critical vulnerabilites like this at the code level.
Learn More