Tag Archive: CFC


ColdFusion CFC remote access via CFHTTP

Filed under: coldfusion, Security, Software1 Comment
April 24, 2012

A good friend of mine today showed me that you can teach an old dog new tricks. When you have been in the game a while you would like to think that you know just about all there is to know about a programming language. Then someone comes along and shows you something that is amazing. How did I not know this?. The two things you can do is 1 deflect and act like you knew it all along or 2 you can accept the fact that someone out there might have a good idea that is useful and admit you don’t know everything. Well i digress, the point of this was to teach all of you that no matter how long you have been in the game, be open to learning something from someone, it is ok. Trust me they won’t think you are an idiot for not knowing, they may think better of you for admitting you don’t know everything.

So on to the point. What I learned today was that using CFHTTP which is the equlivalent of opening your browser and going to a URL, you can invoke a CFC method as long as the access=”remote” in your cffunction

EX:


<cfhttp url="http://192.168.0.0/test/test.cfc?wsdl" method="post">
   <cfhttpparam name="method" value="methodname" type="formfield">
   <cfhttpparam name="methodarg" value="#arg1#" type="formfield">
</cfhttp>

I am looking at this example amazed. Understnding the potential security implications this can have. Essentially anyone can open a web browser and pass the method name with the arguments to a CFC in your directory and this will execute your CFC from an unknown user.

ColdFusion has made it so easy for developers to implement code and make remote calls, that they opened up a can of worms that could lead to serious issues. These days many hackers have the patience to figure out the holes in our systems. It is our job to ensure that they are not the ones that test out and find exploits in our code. This means closing the gaps. Be thorough not complacent with making sure that your application from top to bottom is balanced between being secure and yet very easy to use. This proves to be a very valuable lesson. Be very careful with allowing remote access to your CFC’s. If you need to allow remote access, make sure you validate your data and authenticate it before allowing it to be executed.

I would like to open up the lines and ask for comments on this. Let me know your experiences with this.

Advertisement
Tags: , , , ,
Comment

Connect to CFC without using the CFInvoke

Filed under: coldfusion, SoftwareLeave a comment
January 28, 2011

Many people like to use CFInvoke to connect to their object and pass arguments in. However sometimes i believe in the theory that less is more. Being that ColdFusion is now built on a Java platform, ColdFusion has progressively inherited alot of the coding standards into itself. With this has come things like using a ! instead of using NOT, or if you are incrementing a variable for every iteration of a loop you can now use something like <cfset x++> instead of <cfset x = x + 1>. I think these can be cleaner ways and sometimes faster. I digress….

One way that i love to create an object in ColdFusion is by the following:


<cfset variable = createObject('component','NameOfCFC')>

<cfset newvariable = variable.methodiamcalling('argument1=123','argument2=345','argument3=678')>

so now when you reference ‘newVariable’, it will be the information that is returned by the method that was called.

So, if what i am writting is helpful, drop me a line or comment. I would love to hear from you.

Tags: , ,
Comment
%d bloggers like this: