Scope Injection
ColdFusion Security Guide

Understanding CFML Scope Injection Vulnerabilities and how they can be fixed in ColdFusion / CFML code.
ColdFusion Developer Security Training Online Class

The Risk

Using scope injection an attacker can provide a value for a variable that is not defined. This can for example allow an attacker to provide a value for a variable that should be scoped in the session or application scope.

Vulnerable Example

if (!session.is_logged_in) {
    if ( userService.isAuthentic(username, password) ) {
        session.is_logged_in = true;
    }   
}

In this example if session.is_logged_in is not defined, you can provide the value through a different scope, for example:

page.cfm?session.is_logged_in=true

The variable that is defined above is technically url.session.is_logged_in however due to scope cascading in CFML it would be used in the above if statement if session.is_logged_in was undefined.

Mitigating Scope Injection in CFML

Several techniques can be used to mitigate this type of issue, the first and simplest is to use structure functions to ensure that the variable is defined in the scope we are expecting:

if (!session.keyExists("is_logged_in") || !session.is_logged_in ) {
    //...
}

Second, ensure that your sensitive variables are always defined. A good way to do this is in the onSessionStart, onApplicationStart or onRequestStart lifecycle methods in Application.cfc:

onSessionStart() {
    session.is_logged_in = false;
}

Finally you can disable the scope cascading feature. The only drawback to this approach is that you need to ensure that all your code references scopes for all variable calls. For example if you just use #whatever# instead of explicitly scoping #form.whatever# then your code relies on scope cascading and you can't disable it until you fix your code.

Disable Scope Cascading in Adobe ColdFusion

In your Application.cfc add:

this.searchImplicitScopes = false;

Don't forget your code has to be written in such a way that it doesn't rely on scope cascading for this option to work.

Mitigating with FuseGuard

FuseGuard provides a ScopeInjectionFilter which can block requests with dotted name variables. You should however still fix your code even if you do use FuseGuard.

ColdFusion Security by Foundeo

FuseGuard

FuseGuard is a web application firewall that will block several forms of scope injection attacks. It runs onRequestStart in your Application.cfc to protect your CFML application. Even though FuseGuard adds protection, it is always best to fix these issues directly in your code.

Learn More