Comments on: ColdFusion shared hosting security and internals http://jochem.vandieten.net/2008/12/15/coldfusion-shared-hosting-security-and-internals/ Jochem's tech exploits Tue, 09 Jun 2026 10:22:38 +0000 http://wordpress.org/?v=2.7 hourly 1 By: Jonathan van Zuijlekom http://jochem.vandieten.net/2008/12/15/coldfusion-shared-hosting-security-and-internals/comment-page-1/#comment-125 Jonathan van Zuijlekom Tue, 16 Dec 2008 09:15:21 +0000 http://jochem.vandieten.net/2008/12/15/coldfusion-shared-hosting-security-and-internals/#comment-125 @Bradley: You're right, using an empty Application.cfc lets you dump (and edit) all application variables. Shouldn't this "feature" be fixed? @Bradley: You’re right, using an empty Application.cfc lets you dump (and edit) all application variables.

Shouldn’t this “feature” be fixed?

]]> By: Bradley Moore http://jochem.vandieten.net/2008/12/15/coldfusion-shared-hosting-security-and-internals/comment-page-1/#comment-119 Bradley Moore Mon, 15 Dec 2008 20:04:23 +0000 http://jochem.vandieten.net/2008/12/15/coldfusion-shared-hosting-security-and-internals/#comment-119 Yarr, Application.cfc code should be <cfcomponent></cfcomponent> Yarr, Application.cfc code should be <cfcomponent></cfcomponent>

]]> By: Bradley Moore http://jochem.vandieten.net/2008/12/15/coldfusion-shared-hosting-security-and-internals/comment-page-1/#comment-118 Bradley Moore Mon, 15 Dec 2008 20:02:48 +0000 http://jochem.vandieten.net/2008/12/15/coldfusion-shared-hosting-security-and-internals/#comment-118 Giving your application uncommon/hard to guess names is helpful, but it only prevents accidental access to your application scope. Targeted/Blanket attacks are possible without the knowledge of your application name. Quick Attack Explaination: // This works on any application on the same CF instance. Attacking my dev machine from itself! Oh, noes. - Startup a few CF applications - Create a new directory on the same CF instance. - Create a new application named an empty string or be lazy and let ColdFusion default the value for you. Application.cfc code: - Create a new page and - Don't Panic There is a bunch of stuff you could careless about, but you will also see every application name and variable stored within the application scope. The amusing bit is these are pointers, so we can also modify them. =( This means anyone else on your shared CF instance can see/modify your application variables. This means you should not store your dsn login information, encryption keys, ssn, credit card data, etc in the application scope. Similarly, if you do know another application name, then you can name your application to the same thing and access their application scope variables. Giving your application uncommon/hard to guess names is helpful, but it only prevents accidental access to your application scope. Targeted/Blanket attacks are possible without the knowledge of your application name.

Quick Attack Explaination:
// This works on any application on the same CF instance. Attacking my dev machine from itself! Oh, noes.

- Startup a few CF applications
- Create a new directory on the same CF instance.
- Create a new application named an empty string or be lazy and let ColdFusion default the value for you.
Application.cfc code:

- Create a new page and
- Don’t Panic

There is a bunch of stuff you could careless about, but you will also see every application name and variable stored within the application scope. The amusing bit is these are pointers, so we can also modify them. =(

This means anyone else on your shared CF instance can see/modify your application variables. This means you should not store your dsn login information, encryption keys, ssn, credit card data, etc in the application scope.

Similarly, if you do know another application name, then you can name your application to the same thing and access their application scope variables.

]]> By: Jonathan van Zuijlekom http://jochem.vandieten.net/2008/12/15/coldfusion-shared-hosting-security-and-internals/comment-page-1/#comment-116 Jonathan van Zuijlekom Mon, 15 Dec 2008 15:35:31 +0000 http://jochem.vandieten.net/2008/12/15/coldfusion-shared-hosting-security-and-internals/#comment-116 The application scope variables are only accessible across applications if the application name is the same. I would advise to use a hard to guess application name The application scope variables are only accessible across applications if the application name is the same. I would advise to use a hard to guess application name

]]>