Can the Request scope variables be tampered/modified using external proxy tools?

Question

As we already know that the URL and FORM scope variables can be modified using external proxy tools.

For example if someone makes a request like this - http:\\website\index.cfm?a=1&b=2

This way one can add values to URL scope of a .cfm page.

Similarly is there any way to add/alter value to request scope in ColdFusion without it being set in code explicitly.

I am asking this because we have a code like this in one of CFM page.

<cfset request.uploadFileDir = application.fileDir & "\upload" />
<cffile action="upload" accept="application/pdf" destination="#REQUEST.uploadFileDir#" filefield="brochure" nameconflict="makeunique"/>

The security team is saying that the above code is vulnerable because REQUEST scope in JAVA can be tampered/altered by external proxy tools. And since ColdFusion is build on JAVA, ColdFusion's REQUESTcan also be tampered by external proxy tools. Is this a right assumption? Is JAVA and ColdFusion REQUEST scope same?

And finally the main question - Is there any way an external request to the page mentioned above in the example, modify the REQUEST scope or to be more precise REQUEST.uploadFileDir variable?

Answer 1

(Promoting this from comments so the references are easier to find.)

What part of a java request do they say can be tampered with? With jsp/servlets, there seem to be 2 parts of the Request scope:

• Parameters - request.get/setParameter()

  Java's request "Parameters" are more like ColdFusion's URL and FORM scopes, and like you said, those can be modified by the client or external tools. That's probably what they're thinking of when they talk about client tampering.

• Attributes - request.get/setAttribute()

  "Attributes" are local server variables which can't be modified outside the server. CF's "request" scope is more akin to this. It can only be modified on the server, AFAIK. (Obviously, it can still be manipulated indirectly as Dan said).

If you're curious, run some tests on your DEV server using a .jsp and .cfm script to see how java's "Request" scope differs from ColdFusion's.

TL;DR;

I think they're wrong. ColdFusion's "Request" scope is not the same as Java's.

Answer 2

Transferred from comments with the blessing of the OP.

My opinion is that request scope variables can only be defined and assigned values in the programming code. That means they can't be altered directly. However, if you are assigning a value from the form or url scope, then they can be indirectly altered. In your case, look at how REQUEST.uploadFileDir receives it's value.

More info.

The request scope is available to any programming file used in the page request, such as the actual page, included files, and custom tags, here is an example that can be altered.

request.foo = url.foo;

Here is an example that can't.

if (this is a development ColdFusion enviornment)
request.dsn = "development database";
else
request.dsn = "production database";

There is a time and place for everything. Most of my work does not use the request scope. One application does.