Evaluate Remote Code Execution (RCE)
ColdFusion Security Guide

The evaluate() function in CFML can lead to remote code execution attacks. Understand what they are and how to prevent them in this guide.
ColdFusion Developer Security Training Online Class

The Risk

A remote code execution vulnerability allows an attacker to cause code of their own choosing to execute on your server.

This type of attack is just as bad as it sounds, it is a critical vulnerability that should be among your highest priority to mitigate.

A Vulnerable Example

evaluate("form.#name#");

If an attacker can manipulate the value of the #name# variable, then remote code execution is possible.

An Evaluate Example That Is NOT Vulnerable

for (var i=0;i<10;i++) {
    checkbox_value = evalute("form.checkbox_#int(i)#");
}

Not all calls to evaluate are vulnerable to remote code execution. If the string that is being evaluated contains a variable that can be tainted, then it is vulnerable. In the above example we know the value of i is always an integer so it is not vulnerable.

Mitigating Evaluate RCE in CFML

Search your code for the evaluate() function and the precisionEvalute function and replace with a more secure construct.

Mitigating Dynamic Variable Access with Bracket Notation

Our vulnerable example:

evaluate("form.#name#")

Can easily be written using structure bracket notation. Instead of using evaluate to dynamically acces the value of the form field, we can instead write the code as:

form[name]

If you code looks more like this:

evaluate("form.checkbox_#name#")

It can be written in CFML struct notation as:

form["checkbox_#name#"]

Mitigating Dynamic Query Access with Bracket Notation

Another common place we see evaluate is to reference a query column name dynamically, for example

evaluate("myQuery.#columnName#")

Such code can be rewritten using bracket notation as:

myQuery["colName#i#"][myQuery.currentRow]

Mitigating Dynamic Method Invocation Evaluate Calls

The third common way that evaluate is used is to invoke a CFC function dynamically, for example:

evaluate("cfcInstance.get#name#()")

As of ColdFusion 10 we can use the invoke() function to dynamically invoke a function thats name is a variable:

invoke(cfcInstance, "get#name#");

You can also use the cfinvoke tag:

<cfinvoke component="#cfcInstance#" method="get#name#">

Fixinator

Fixinator can find evalute remote code execution vulnerabilities within your CFML source code. In most cases it can even fix them for you by using bracket notation.

Learn More
Fixinator Logo
ColdFusion Security by Foundeo

FuseGuard

FuseGuard is a web application firewall can detect some forms of CFML remote code execution attempts. Always fix critical vulnerabilites like this at the code level.

Learn More