Geek Answers Handbook

Public functions become remotely accessible by implementing onCFCRequest ()

SOME BACKGROUND:

I use onCFCRequest() to handle remote CFC calls separately from regular CFM page requests. This allows me to detect errors and set MIME types for all remote requests.

PROBLEM:

I accidentally set some of my remote CFC functions to public access instead of remote and realized that they still work when called remotely.

As you can see below, my implementation of onCFCRequest() created a vulnerable security hole for my entire application, where an HTTP request could be used to call any public method for any available HTTP-CFC.

REPROP CODE:

In Application.cfc:

  public any function onCFCRequest(string cfc, string method, struct args){ cfc = createObject('component', cfc); return evaluate('cfc.#method#(argumentCollection=args)'); }

In a CFC called remotely:

  public any function publicFunction(){ return 'Public function called remotely!'; }

Question:

I know that I can check the metadata for a component before calling the method to check if it allows remote access, but are there other ways to solve this problem?

+7
source share
1 answer

onCfcRequest() doesn’t really create a security hole, you create a security hole by blindly launching a method without checking if it really needs to be done, I'm afraid -)

(NB: I cheated exactly the same, so I don't want @you ;-)

So - yes, you need to check the metadata before running the method. This check is one of the things that CF passes back to you when you use this handler, and has been explicitly implemented as such (see 3039293 ).

I wrote a description of the problem and a solution on the blog . As noted in the comment below, I use some kind of code there - invoke() - which will only work on CF10 +, but the general method remains the same.

+6
source

More articles:


All Articles