All geek questions in one place

Is it possible to change / change the query area variables using external proxy tools?

As we already know, URL and FORM scope variables can be changed using external proxy tools.

For example, if someone makes such a request - http:\\website\index.cfm?a=1&b=2

Thus, you can add values ​​to the URL area .cfm page.

Similarly, is there a way to add / change a value to query the scope in ColdFusion without explicitly specifying in the code.

I ask about this because we have such code on the CFM page.

 <cfset request.uploadFileDir = application.fileDir & "\upload" /> <cffile action="upload" accept="application/pdf" destination="#REQUEST.uploadFileDir#" filefield="brochure" nameconflict="makeunique"/>

The security team says the code above is vulnerable because the JAVA's REQUEST scope can be tampered with / modified by external proxy tools. And since ColdFusion is based on JAVA, ColdFusion REQUEST can also be faked with external proxy tools. Is this a correct guess? Is the scope of JAVA and ColdFusion REQUEST same?

And finally, the main question is whether there is a way to externally query the page mentioned in the example above to change the REQUEST scope or, to be more precise, the REQUEST.uploadFileDir variable?

+5
source share
2 answers

Transmitted from comments with the blessing of OP.

My opinion is that query area variables can only be defined and values ​​are assigned in the program code. This means that they cannot be changed directly. However, if you assign a value from a form or URL area, they can be indirectly changed. In your case, see how REQUEST.uploadFileDir gets this value.

Additional Information.

The request area is available for any programming file used in the page request, such as the actual page, the included files and user tags, here is an example that can be changed.

 request.foo = url.foo;

Here is an example that cannot.

 if (this is a development ColdFusion enviornment) request.dsn = "development database"; else request.dsn = "production database";

There is time and place for everything. Most of my work does not use the query scope. One application does.

+2
source

(Advancing this from the comments, so links are easier to find.)

What part of the java request they say can be faked? With jsp / servlets , there seem to be 2 parts of the Request scope:

  • Parameters - request.get/setParameter()

    The Java Parameters query is more like the ColdFusion URL and FORM fields, and, as you said, they can be modified by the client or external tools. This is probably what they think about when they talk about faking a client.

  • Attributes - request.get/setAttribute()

    Attributes are local server variables that cannot be changed outside of the server. "query request" is more akin to this. It can only be changed on the AFAIK server. (Obviously, he can still manipulate indirectly, as Dan said ).

If you're interested, run a few tests on your DEV server using a .jsp and .cfm script to see how the java request area differs from ColdFusion.

TL DR;

I think they are wrong. The "ColdFusion" request scope does not match Java.

+4
source

Source: https://habr.com/ru/post/1275383/

More articles: