Archive for category Bugs

ColdFusion: XSS Vulnerability in SerializeJSON()

There is a minor vulnerability in ColdFusion’s SerializeJSON() method. ColdFusion fails to escape object keys correctly.

Here is a typical example of the expected way to use SerializeJSON():

The output of this is:

The bug is that object keys are not properly escaped, so if you have an object such as a Struct with a specially designed key, you can inject javascript code where it was not intended:

The result of which is:

As you can see, the generated javascript will be parsed by the browser successfully – except where we only intended to communicate data, we instead executed a function.

So what’s the danger?
The problem is that some users may wish to give easy access to GET and POST (URL/FORM) variables to their client-side javascript – maybe some of these parameters affect how you output data for example. If you just SerializeJSON() the URL or FORM variable, then you may unintentionally be allowing user-supplied data to execute in your page context, which can result in cookie stealing, malicious script injection, and other nasty things like that, by the user including javascript code as the name of a URL argument. Actually exploiting that takes some creativity due to ColdFusion automatically upper-casing URL keys, but that’s a one-time exercise which I’ll leave for the reader (sorry script kiddies).

SerializeJSON() should be safe, it should only create a JavaScript object which represents the data, and should not allow for script injection. The fix for Adobe would be incredibly simple; all they would have to do is escape object keys the same way they already escape output strings.

No Comments

ColdFusion: SerializeJSON() Recursion Error

In ColdFusion 8, Adobe introduced a new function called SerializeJSON(), which takes a single object of just about any type and returns a JSON representation of that object and its properties.  This can include objects which are not native ColdFusion types such as a Java object, and it does a respectable job of figuring out values for this object to include in the JSON by automatically and recursively including the values of any zero-parameter methods which start with ‘get’ such as ‘getName(),’ ‘getAddress(),’ etc.

In theory this works well because for essentially no additional effort, you can send a JavaScript representation of this class down to the browser and interact with it there.

There are a number of shortcomings to this approach though, not the least of which is the inability to filter what properties of a Java object are exposed to the browser when serializing it.  Sometimes objects have sensitive data stored in them which you do not want to expose.  For example if you had a page which details a user’s profile, and you store the properties of this user in a Java bean, you cannot simply pass the same copy of the user object down to the browser through SerializeJSON() as you might be tempted, as this may contain sensitive values such as getPasswordHash() or getAdministrativeNotes() (something I use in  to keep private notes on users especially for when a user has a history of abusive behavior).

However there’s an outright bug in the serialization routine which is essentially unrecoverable if you encounter it.  We first discovered it at work when working with a Java enum data type; having a getter or property whose value was a Java enum will cause you to get a stack overflow exception.  For example:

If you create an instance of this object, you can see the error:

This actually fails on a level that a normal try/catch cannot recover from it. The only way to see the actual error is to handle the error from an Application.cfc onError() method. Here is the error:

The problem is that enums are actually for the most part a java sub-class which have public final static properties for each of the possible enum values. ColdFusion is attempting to serialize the public final static property which is the same class as itself, and this ends up creating a circular reference as far as ColdFusion is concerned. It’s not actually a circular reference in the traditional sense; static class properties are not subject to reference counters and garbage collection – they are part of the permanent generation in Java. The “circular” reference is also created by the compiler and are an endemic aspect of enums.

As already stated, the problem is not limited to java enums, that’s just the first place we noticed it. Common Java design patterns like the Singleton pattern will raise this error as well, if the singleton accessor begins with ‘get’ or the static instance is public:

What can be done to fix it? From an implementation perspective you would have to change your object interface to avoid the problem as it exists today in ColdFusion 8. Essentially you need to be sure that there are no getters or public static properties which may back-reference to the owning class. If you require such, you must put them behind a getter instead of a public static property, and you must also make sure that getter doesn’t start with ‘get’. Essentially you have to kludge the crap out of your Java objects.

From Adobe’s perspective they need to detect a recursion loop and avoid it. Alternately they could provide a way to overload the JSON output for a java object (eg if they test for the existence of a toJSON() method and use its output instead of constructing the object properties themselves). Ideally they would do both, but although this latter approach would offload much of the work to individual developers, it would also give the develoer a way to filter the properties which were output as part of the JSON implementation of an object. The developer could even create flags on the object that allow them to select from several sets of specific properties as necessary (for example, setJSONPrivilege(PUBLIC | PRIVATE) ).

No Comments