ColdFusion searchImplicitScopes and APSB24-14

Adobe has published a ColdFusion Security Hotfix APSB24-14 today which describes “a critical vulnerability that could lead to arbitrary file system read”.

One of the things you will want to take special note of in this hotfix is that a major change was made to how ColdFusion handles unscoped variables. According to the technote:

Starting with this update, ColdFusion will default to searchimplicitscopes=FALSE and if a variable name is not prefixed with a scope identifier, an error is returned*

* Clarification: not all unscoped variables will throw an error. It will throw an error (coldfusion.runtime.UndefinedVariableException: Variable X is undefined) if the unscoped variable is only defined in the form, url, cgi or cookie scopes.

What will break:

This means that if you have some code like this:

<cfoutput encodefor="html">
Hi, my name is: #name#
</cfoutput>

With searchImplicitScopes=false you can no longer use #name# as a short cut for #url.name# or #form.name#, etc.

So the above code would need to be rewritten to explicitly name the scope, for example:

<cfoutput encodefor="html">
Hi, my name is: #form.name#
</cfoutput>

What will still work:

Code like this will still work:

<cfset name="Pete">
<cfoutput encodefor="html">
Hi, my name is: #name#
</cfoutput>

Because it will search the variables scope and find that I have set the name variable.

In a function the arguments or local scope will be searched, but it will not cascade to additional scopes. So the following code will still work fine with searchImplicitScopes=false:

function greet(name="Pete") {
    var greeting = "Hi ";
    return greeting & name;
}

Use of unscoped query variables will also continue to work, so something like this still works:

<cfoutput query="news" encodefor="html">
  #story#
</cfoutput>

Assuming that story is a column in the news query.

Workarounds

You can disable this change by setting this.searchImplicitScopes=true in Application.cfc, or <cfapplication searchImplicitScopes="true"> in Application.cfm, or globally by adding the system property -Dcoldfusion.searchimplicitscopes=true, however Adobe says:

This option is highly discouraged and should be considered only as a temporary workaround, until all application code is fixed

Please also note that Adobe states:

The JVM flag -Dcoldfusion.searchimplicitscopes will be removed in the next major release of ColdFusion

I would assume that the Application level settings will remain intact, but that remains to be seen.

It is not really clear what the risk is that they are addressing, it would be great to get some more info from Adobe on this.

There is a risk of un-scoped variables that I call scope injection, I don’t know if it is related to this issue or not. I have been talking about scope injection in my ColdFusion security training class, and I first wrote about it on my blog back in 2015.

To help find this issue in your code, I am considering adding a scanner to find un-scoped variables to my CFML code security scanner, Fixinator. Please let me know if you’d like to see that feature added to Fixinator.

UPDATE: On March 24, 2024 I added the ability for Fixinator to find and fix unscoped variables in your ColdFusion code.

UPDATE: On April 1, 2024 Adobe has created a patch which will log unscoped variables.