Skip to main content
Ben Nadel at CFCamp 2023 (Freising, Germany) with: Luis Majano and Jürg Anderegg
Ben Nadel at CFCamp 2023 (Freising, Germany) with: Luis Majano Jürg Anderegg

Target ColdFusion Template Gets Compiled Even If Not Executed

By
Published in Comments (3)

A while back, I had suggested a hack to get ColdFusion-based security on non-ColdFusion files by adding a ".cfm" file extension. Then, in the Application.cfc's OnRequest() event method, intercepting those file requests, checking security permissions, and streaming the requested files (using CFContent). Since the requested file was never being executed (only streamed), it never occurred to me that it would matter what type of file it was.

As Regs pointed out to me, this was an incorrect assumption. Apparently, the requested template gets compiled even if it is never executed. This can cause problems, as he points out, if the file contains ColdFusion-tag-like data that starts with "<cf". To test this, I set up a tiny application that never includes the requested file, but rather a default file. Here is the ColdFusion Application.cfc file:

<cfcomponent
	output="false"
	hint="Handles the application level events and application settings.">


	<!--- Define application settings. --->
	<cfset THIS.Name = "SecurityTest2" />
	<cfset THIS.ApplicationTimeout = CreateTimeSpan( 0, 0, 10, 0 ) />
	<cfset THIS.SessionManagement = false />
	<cfset THIS.SetClientCookies = false />

	<!--- Define page settings. --->
	<cfsetting
		requesttimeout="20"
		showdebugoutput="false"
		/>


	<cffunction
		name="OnRequest"
		access="public"
		returntype="void"
		output="true"
		hint="Fires after pre page processing is complete - when determining which template to ultimately execute.">

		<!--- Define arguments. --->
		<cfargument
			name="TargetPage"
			type="string"
			required="true"
			/>

		<!---
			Include the default page regardless of what page
			was actually requested.
		--->
		<cfinclude template="default.cfm" />

		<!--- Return out. --->
		<cfreturn />
	</cffunction>

</cfcomponent>

Notice that default.cfm is included no matter what happens. This is just a simple HTML file. But, I am gonna put in a bunk index.cfm in that directory:

asdlfj alksdf lkajdf lajlfj ald fladsfs
adfj aldjflajsdf ajsdf asdf alsdflasdlfl
adf adsfasdf asf<cfset adkfjasdlf asdf />
ljlaj dlfjals dfljasd flajsdl fasjdlfj al

Notice the poorly formeed ColdFusion CFSet tag mixed in with the random characters. This is meant to simulate the random text that might show up in a secure file.

Ok, so when the index.cfm ColdFusion template is requested, what I assumed would happen is that the default.cfm template would be executed and everything would go smoothly. But, no; just at Regs pointed out, ColdFusion throws an error:

Invalid CFML construct found on line 3 at column 35. ColdFusion was looking at the following text: asdf The CFML compiler was processing: * a cfset tag beginning on line 3, column 18.

I don't like this behavior. It doesn't feel right. The whole point of a conditional CFInclude tag is that the file only gets executed if it actually gets included. This target page compilation goes against this idea, not to mention it makes my security hack totally unusable.

Want to use code from this post? Check out the license.

Reader Comments

218 Comments

Yeah, the hack is unusable. Unfortunately the best way to secure files is to move them out of webroot and then use:
<CFHTMLHEAD text="<title>Download #finalName#</title>" />
<CFHEADER NAME="content-disposition" VALUE="#theAction#; filename=#finalName#">
<CFCONTENT TYPE="#mimetype#" FILE="#downloadFile.file_name#" DELETEFILE="No">

It sucks, but it's not that bad. You could code up a system rather quickly and you'll never have to think about it again.

27 Comments

At CFUnited this year someone (New Atlanta, Microsoft?) showed how IIS8 can use any ISAPI application to handle IIS requests. I don't recall the exact details but I think one of the examples was for security of any file.

15,902 Comments

@Todd,

Yeah, agreed. Oh well.

@Dan,

I remember that, I think. Was that the presentation about tapping into the "request pipeline" at any point so that CF(BD) could reach in before IIS processes files or something. I vaguely remember it, but much of the presentation went way over my head as I am not very familiar with IIS at all.

I believe in love. I believe in compassion. I believe in human rights. I believe that we can afford to give more of these gifts to the world around us because it costs us nothing to be decent and kind and understanding. And, I want you to know that when you land on this site, you are accepted for who you are, no matter how you identify, what truths you live, or whatever kind of goofy shit makes you feel alive! Rock on with your bad self!
Ben Nadel