hello all. i just got alerted by a customer of ours who does external pen tests on their websites on our servers that there would be a possible vulnerability on cf2018 that was still available on our server, even if it was patched a long time ago. according to their info, CVE-2023-38205 was effecting cf 2018 update 18 and earlier. our server has update 19 installed and was still attackable. see screenshot 1. on one of our dev servers (cf2018 update 19 as well), that worked too. see screenshot 2. the url we tested with: https://dev14.nextron.ch/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo (now brings a basic auth window, see below - but use if on your own servers to test) we even installed the new update 10 and it still works. what we now did to mitigate was a filter on apache level:

<LocationMatch ".*CFIDE/.*">
    AuthName "ColdFusion Administrator"
    AuthType Basic
    AuthUserFile [redacted path]/passwd.txt
    <RequireAny>
        Require valid-user
    </RequireAny>
</LocationMatch>

that, at least, throws a basic authentication window (we don't use any of the cfide functions on our front facing projects, so that is not an issue). but does anybody know what we missed? just to make sure and that we can tell our customer that we (believe) we did everything right. we use jdk-11.0.20 on daily running, and jdk-11.0.13 for installing updates. cheerios and thanks, lukas

If URLs in the format of

/..something/

lead to a bypass of your expected web access control, it's possible that you have a vulnerability due to an Aliasing or Re-write rule in a web server, load balancer, reverse proxy, etc. somewhere in your stack. You'll probably want to sort out the root cause and fix that too. I'd suggest one tweak to your fix -- change the match to

<LocationMatch "(?i).*CFIDE.*">

. And if you want to block access outright, instead of prompt for a password. this is from the CF Lockdown guide (https://www.adobe.com/content/dam/cc/us/en/products/coldfusion/pdfs/cf-starter-kits/coldfusion-2021-lockdown-guide-1.1.pdf) 5.8.2 Blocking URIs in Apache -

RedirectMatch 404 (?i).*/CFIDE.*

ColdFusion Connector security and access control can be tricky, and Adobe's response to bypass techniques has been "run the lockdown tool." So for now, I'd recommend that or manually implementing the web access control that's done by the lockdown tool.

ok. thanks for that info. was expeciting that update 19 would have fixed that on the full stack. not only on 8500 (which is, of course, not public available).

I'd also strongly recommend that you add trusted IP addresses under "Security > Allowed IP Addresses" if you can. Although I'm not 100% clear on how that will work / how IP addresses are identified if you need to allow external addresses through the Connector to CFAdmin components

You need to correct your config, it should be :

<LocationMatch "^/CFIDE/">

AuthName "ColdFusion Administrator" AuthType Basic AuthUserFile [redacted path]/passwd.txt Require valid-user </LocationMatch>

@Evil Ware your config above is able to be bypassed in multiple ways, including Lukas' original example of

/hax/..CFIDE/

Apache does some URI normalization, but that will get through

I wasn't clear enough --- use mod_proxy https://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass Here is what you will do. Set up your default site to 127.0.01 and add an entry to the hosts file, making sure ip6 and ipv4 localhost is defined. Start CF normally. Now go back to Apaches config define your main ie default site to "localhost" , add a vhost for xyzdomain. in the config for xyzdomain you add your proxy request for CFC/CFML Yes, you would still need to do more than just blindly cut and paste this below, but add it with proper response headers and its locked down.

<VirtualHost mydomain>  --

ProxyPreserveHost On <Location ^/CFIDE/> ProxyPass https://mydomain/ ProxyPassReverse https://mydomain/ AuthType Basic AuthName "Authorization" AuthUserFile /path/someplace require valid-user </Location> </VirtualHost>