Rip's Domain

ColdFusion MIMEFile Upload Security Issue Workaround

Posted in ColdFusion by rip747 on June 30, 2009

If you haven’t heard by now, there is a huge security vulnerability using cffile to upload files. This effects every CF application out there and is being exploited as we speak. There is a ton of information out there about what causes and how to perform the exploit, however noone is doing anything about it at the moment to fix it. Needless to say, I wasn’t going to just sit by and wait for someone to fix it, so naturally, I came up with a pretty slick solution on my own. Below is a link to download a UDF that you should be able to use as a replacement until this whole thing gets sorted out.

If you have any comments on improvements or suggestions, please leave them below or feel free to edit the gist directly.

http://gist.github.com/138542

2 Responses

Subscribe to comments with RSS.

  1. James said, on July 7, 2009 at 10:30 pm

    Great solution! Thanks for sharing.

  2. Jim said, on April 19, 2010 at 3:03 pm

    Thanks for all your hard work. I have recently started using CFWheels, and I installed your upload plugin for that framework. Everything is working great on my windows production server, but my development server is on a Mac. For some reason, the path is getting screwed up and, as I am a newbie to CF and Wheels, I can’t find the problem. It probably something simple, but here is what is happening. Default file path becomes: Wheels_Site/files/files\myImage. The “files\myImage” is actually the whole file name saved to the files directory. Any suggestions?… Thanks for your help.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: