Can the Request scope variables be tampered/modified using external proxy tools?

Asked 15/2, 2018 at 19:3 Answered 16/2, 2018 at 3:14

Solved java security coldfusion websecurity

As we already know that the URL and FORM scope variables can be modified using external proxy tools.

For example if someone makes a request like this - http:\\website\index.cfm?a=1&b=2

This way one can add values to URL scope of a .cfm page.

Similarly is there any way to add/alter value to request scope in ColdFusion without it being set in code explicitly.

I am asking this because we have a code like this in one of CFM page.

<cfset request.uploadFileDir = application.fileDir & "\upload" />
<cffile action="upload" accept="application/pdf" destination="#REQUEST.uploadFileDir#" filefield="brochure" nameconflict="makeunique"/>

The security team is saying that the above code is vulnerable because REQUEST scope in JAVA can be tampered/altered by external proxy tools. And since ColdFusion is build on JAVA, ColdFusion's REQUESTcan also be tampered by external proxy tools. Is this a right assumption? Is JAVA and ColdFusion REQUEST scope same?

And finally the main question - Is there any way an external request to the page mentioned above in the example, modify the REQUEST scope or to be more precise REQUEST.uploadFileDir variable?

Tinfoil answered 15/2, 2018 at 19:3 Comment(7)

What part of a java request do they say can be tampered with? With jsp/servlets, I get the impression there's two parts of the request scope: get/setParameter() and get/SetAttribute(). The "parameters" are more like the URL scope, and like you said, can be modified. Whereas "attributes" are local server variables and can't be modified AFAIK. https://mcmap.net/q/98230/-difference-between-getattribute-and-getparameter – Moriah 15/2, 2018 at 20:2

My opinion is that request scope variables can only be defined and assigned values in the programming code. That means they can't be altered directly. However, if you are assigning a value from the form or url scope, then they can be indirectly altered. In your case, look at how REQUEST.uploadFileDir receives it's value. – Emsmus 15/2, 2018 at 20:44

Attackers using scope injection can potentially pass in variables from the url or form. Pete Freitag has a short writeup on how this is accomplished here and how to mitigate the threat: petefreitag.com/item/834.cfm – Baily 15/2, 2018 at 20:52

"Whereas "attributes" are local server variables " ... so CF's request scope is more akin to "attributes", and can only be modified on the server. So as long as application.fileDir doesn't use client supplied values (like hard coded string, etc...) it's safe. – Moriah 15/2, 2018 at 20:57

@Ageax I guess they are saying about "parameters". In ColdFusion you retrieve them by using "URL" (to get Query Strings) and "FORM" (to retrieve POST data) scopes. Based on the link you provided it seems like "REQUEST" scope in ColdFusion is more like "ATTRIBUTE" in JAVA and that it cannot be modified. Thanks for providing initial reference. – Tinfoil 15/2, 2018 at 21:2

@DanBracuk That seems like an answer. REQUEST.uploadFileDir is not using any URL or FORM scope variables for setting it's value. Only application scope is being used to set it. So it cannot be modified by any proxy tool or request to the page. You can post it as answer. – Tinfoil 15/2, 2018 at 21:6

@Tinfoil - Oops, I misread your comment. Yes, what I was saying is CF's "request" scope is like request.get/setAttributes() and can't be modified outside the server (other than indirectly as Dan mentioned later). CF's URL/FORM is like request.get/setParameters. You can also run some tests to see the behavior yourself using a JSP page: helpx.adobe.com/coldfusion/developing-applications/ – Moriah 15/2, 2018 at 21:32

Transferred from comments with the blessing of the OP.

More info.

The request scope is available to any programming file used in the page request, such as the actual page, included files, and custom tags, here is an example that can be altered.

request.foo = url.foo;

Here is an example that can't.

if (this is a development ColdFusion enviornment)
request.dsn = "development database";
else
request.dsn = "production database";

There is a time and place for everything. Most of my work does not use the request scope. One application does.

Emsmus answered 16/2, 2018 at 3:14 Comment(0)

(Promoting this from comments so the references are easier to find.)

What part of a java request do they say can be tampered with? With jsp/servlets, there seem to be 2 parts of the Request scope:

Parameters - request.get/setParameter()

Java's request "Parameters" are more like ColdFusion's URL and FORM scopes, and like you said, those can be modified by the client or external tools. That's probably what they're thinking of when they talk about client tampering.
Attributes - request.get/setAttribute()

"Attributes" are local server variables which can't be modified outside the server. CF's "request" scope is more akin to this. It can only be modified on the server, AFAIK. (Obviously, it can still be manipulated indirectly as Dan said).

If you're curious, run some tests on your DEV server using a .jsp and .cfm script to see how java's "Request" scope differs from ColdFusion's.

TL;DR;

I think they're wrong. ColdFusion's "Request" scope is not the same as Java's.

Moriah answered 15/2, 2018 at 22:12 Comment(2)

Thanks for clarifying the two questions related to JAVA. I am voting this as it answers two of my questions. But since the main question was answered by Dan I am marking it as answer. Really wish I could have option to mark you both as answer since both address the questions partly. – Tinfoil 16/2, 2018 at 9:48

Glad it helped. – Moriah 20/2, 2018 at 0:38