Following, ColdFusion (2016 release) Update 10, the encryption / decryption of url parameters we have used for the past 3 years is no longer workingWe tried rolling back the update on one of our servers and this worked. As update 10 is a Critical update, we cannot roll back our production server farm.Current encryption process which was deployed 2 or 3 years before:Created AES secret key using Coldfusion inbuilt function (generateSecretKey("AES"))Encrypted the entire URL parameters with the AES secret key. (AES encryption)Concatenated secret key and AES encrypted URL.Encrypted the concatenated data again with “CFMX_COMPAT” algorithm using a defined password. (Second level of encryption).Sent this data as URL string to the requested page.On the requested page, we decrypt the data again in the reverse order.Created URL parameters needed for that page from the decrypted data.When we got the issue on Update 10, we investigated whether it was because of “CFMX_COMPAT” algorithm. So we removed the second level of encryption, but the issue was not solved.Also the issue gets cleared when we refresh the page. So it is not related to encryption logic.Could the issues be related to cache limit, or number of URL variables created or something related to URL scope?We have had to remove encryption of urls on a number of pages to meet important business deadlines. This was only possible because the url parameters are of a non sensitive nature and would not present a security issue if tampered with. However we have many other pages where this approach would not be possible as it would allow access to data from other users.Any help in resolving the above would be much appreciated.

Participant

Question

AES url encrypt / decrypt failing after ColdFusion (2016 release) Update 10

Forum|Forum|6 years ago
April 16, 2019
3 replies
1661 views

Following, ColdFusion (2016 release) Update 10, the encryption / decryption of url parameters we have used for the past 3 years is no longer working

We tried rolling back the update on one of our servers and this worked. As update 10 is a Critical update, we cannot roll back our production server farm.

Current encryption process which was deployed 2 or 3 years before:

Created AES secret key using Coldfusion inbuilt function (generateSecretKey("AES"))
Encrypted the entire URL parameters with the AES secret key. (AES encryption)
Concatenated secret key and AES encrypted URL.
Encrypted the concatenated data again with “CFMX_COMPAT” algorithm using a defined password. (Second level of encryption).
Sent this data as URL string to the requested page.
On the requested page, we decrypt the data again in the reverse order.
Created URL parameters needed for that page from the decrypted data.

When we got the issue on Update 10, we investigated whether it was because of “CFMX_COMPAT” algorithm. So we removed the second level of encryption, but the issue was not solved.

Also the issue gets cleared when we refresh the page. So it is not related to encryption logic.

Could the issues be related to cache limit, or number of URL variables created or something related to URL scope?

We have had to remove encryption of urls on a number of pages to meet important business deadlines. This was only possible because the url parameters are of a non sensitive nature and would not present a security issue if tampered with. However we have many other pages where this approach would not be possible as it would allow access to data from other users.

Any help in resolving the above would be much appreciated.

Security

This topic has been closed for replies.

BKBK

Community Expert

Test code:

key: #key#

message: #message#

encryptedMessage: #encryptedMessage#

urlEncodedEncryptedMessage: #urlEncodedEncryptedMessage#

urlDecodedEncryptedMessage: #urlDecodedEncryptedMessage#

decryptedMessage: #decrypt(urlDecodedEncryptedMessage,key)#

</cfoutput>

BKBK

Community Expert

I think there is a flaw in the above algorithm. Namely the assumption that you can always pass encrypted characters, unchanged, through URL.

There is a second point. You're using AES anyway and CFMX_COMPAT is less secure than AES. So I don't understand why you use CFMX_COMPAT at all.

Your algorithm would be more efficient if it used the following steps instead:

Create AES secret key using Coldfusion inbuilt function (generateSecretKey("AES"))
Concatenate message as a string comprising secret key and URL
Encrypt the message with the AES secret key. (AES encryption)
Transform the message into a URL-encoded string using, for example, using urlEncodedEncryptedMessage=urlEncodedFormat(encryptedMessage,"utf-8")
Send this data as URL string to the requested page.
On the requested page, URL-decode then decrypt the data (AES decryption)

B

Bardnet

Inspiring

Hi,

can you share your code that does the encryption and the decryption?

Does the string you finally pass into the url contain "funny" characters that might be destroyed somehow (by wrong/repeated url encoding)?

Following, ColdFusion (2016 release) Update 10, the encryption / decryption of url parameters we have used for the past 3 years is no longer working

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded