Background
In the last security updates of ColdFusion (ColdFusion (2023 release) Update 7 and ColdFusion (2021 release) Update 13), Adobe released hotfixes that addressed scope injection vulnerabilities. See the tech notes for more information.
What is the patch about
Adobe has released a patch for ColdFusion (2023 release) and ColdFusion (2021 release) to help identify the unscoped variables in a log file, and take corrective actions.
The patch applies to ColdFusion (2023 release) Update 6 and higher, and ColdFusion (2021 release) Update 12 and higher. Adobe recommends you to be on Update 6 or higher and Update 12 or higher.
Why should I apply the patch
The patch lets you view all unscoped variables searched during the application run within a log file, unscoped.log.
How do I apply the patch and view the log file
- Copy the patch to cfusion/lib/updates.
- Restart ColdFusion.
View the log file
Set the flag searchimplicitscopes=TRUE in jvm.args or Application.cfc. When you run the application, ColdFusion generates the log file, unscoped.log, in /cfusion/logs.
For Update 6 of ColdFusion 2023 and Update 12 of ColdFusion 2021, these updates already have searchimplicitscope=TRUE by default, if not already changed in Application.cfc or Application.cfm.
What does the log file contain
"Information","http-nio-8500-exec-1","04/08/24","17:13:17","testapp","/Users/user/codebase/cf-main/cfusion/wwwroot/scope/scope_testing1.cfm:REQUEST.SCOPETESTING,scope:UrlScope" "Information","http-nio-8500-exec-2","04/08/24","17:16:51","testapp","/Users/user/codebase/cf-main/cfusion/wwwroot/debugging/index.cfm:AJAX_ENABLED,scope:FormScope" "Information","http-nio-8500-exec-2","04/08/24","17:16:51","testapp","/Users/user/codebase/cf-main/cfusion/wwwroot/debugging/index.cfm:ENABLED,scope:FormScope"
How do I interpret the log file
ColdFusion logs unscoped variables whenever the application executes, and the variables are searched from the implicit scopes. However, if the variable is declared but not referred to during runtime, the variable will not be logged.
If the log file shows VARIABLE {{X}} at template {{Y}} needs to be scoped, then manually search and refactor all instances of {{X}} in template {{Y}}.
For example,
In "Information","http-nio-8600-exec-6","03/19/24","19:40:56","cfadmin","/Users/user/codebase/cf_14_hotfix/cfusion/wwwroot /TEST/settings/mappings.cfm:SORTCOLUMN",
- {{X}} is SORTCOLUMN
- {{Y}} is /Users/user/codebase/cf_14_hotfix/cfusion/wwwroot /TEST/settings/mappings.cfm
What's next
This patch is meant to help the community generate the report of unscoped variables in an application. After using the patch and identifying the required changes, set the flag back to FALSE, and remove the patch.
Please be aware that this patch could potentially affect the performance of your application.
Document history
- 04/10/2024: The following are the changes to the log file:
- The log files contain the name of the scope in which the variable exist.
- Files included using cfinclude tag will be logged.