ColdFusion Security

1
ColdFusion Security

• Michael Smith
• President
• TeraTech, Inc
• ColdFusion, Database VB custom development
• http//www.teratech.com
• 800-447-9120

2
Introduction

• ColdFusion security
• Keeping hackers out
• While still letting users and friendly apps in

3
ColdFusion Security

• Here is what we will be covering
• System software
• OS-gt FW -gt WS -gt DB -gt CF
• Page parameter validation
• User Authentication
• Security Resources

4
1.1 System software

• a) Operating System/Webserver
• Delete guest and administrator NT server userids
  (create a user name for administrator)
• Get latest Service Packs
• Patch DATA and 20 source holes
• Use IIS or Website directory security, possibly
  with CFAuth too.
• Clean up the /CGI-BIN directory - dangerous
  sample scripts

5
1.2 System software

• b) Database
• Store database in separate directory from web
  root or PC.
• Move from Access to SQL server better security
  features
• user ids and passwords that are hard to guess
• Delete guest and sa userids
• Only give the read/update/delete rights that you
  need.
• Use stored procedures

6
1.3 System software

• c) Firewall
• Keeps bad IP packets out
• By default keep it out
• Prevents hackers from moving from machine to
  machine
• Only open ports that are required - eg for SQL
  server
• Prevent/Record Denial of Service
• Proxy access to HTTP
• Can get in way of development

7
1.4 System software

• d) ColdFusion
• Remove CFDOC dir from live servers
• Remove Start/Stop page
• Turn off CFDIRECTORY, CFFILE, CFCONTENT, CFOBJECT
• Remove any unused CFX and CF tags
• Use a dedicated server

8
2 Page Validation

• URL and Form parameters used in SQL
• SELECT FROM EMP WHERE ID USERID
• Extra SQL commands
• http//myserver/page.cfm?ID_VAR720DELETE20FROM
  20MyCustomerTable
• VBA functions - shell()
• Use VAL() on parameters or check for and
• Encrypt Variables

9
3.1 Authentication

• Stateless web - any page can call another - this
  is good for open sites
• Hacker pages call your page with false data
• Use CGI. HTTP_REFERER to control who calls you
• Use CGI. CF_TEMPLATE_PATH application.cfm control
  what is run.
• Encrypting code
• NT auth or LDAP

10
3.2 Authentication

• Protected Header code
• In your application.cfm or header.cfm to be
  included in every page.
• ltCFIF cgi.script_name contains "/intranet/"gt
• ltcfif left(CGI.REMOTE_ADDR,10) is not
  "123.456.789"gt
• ltcfif not isdefined("session.authorized")gt
• ltCFLOCATION URLhttp//www.teratech.com/logon.cfm
  gt
• ltcfabortgt
• ltcfelsegt
• ltcfset session.authorized TRUEgt
• lt/cfifgt
• lt/cfifgt
• Your protected links here lt/cfifgt

11
3.3 Error handling

• Never display default CF errors - gives out SQL
  information
• Email error to admin
• Dont explain why attempt failed
• Standard processing time

12
4 Resources

• http//www.allaire.com/developer/securityzone/
• Tools you could use to analyze your NT servers
• http//www.netect.com
• http//www.webtrends.com/wsa
• NTSecurity http//ntsecurity.ntadvice.com/

13
Real Hacks

• This spring several commercial ColdFusion sites
  were hacked or shutdown due to the CFDOCs hole.
• Security is hard because a hacker only needs one
  window to be open to get in while the poor
  webmaster must work on closing dozens of holes.

14
What Security Means

• Security is a way of thinking - how can they get
  in...
• Get patches and read security bulletins - todays
  secure system may be tomorrow's hack!
• More knowledge is power - dont keep security
  secret!

15
Next Steps

• Conduct a security audit
• Download Michael Dinowitzs http//www.houseoffusi
  on.com/ MunchkinLand.cfm to test your site for
  holes
• Remove CFDOCS
• Change database configuration and passwords
• Validate pages
• Authenticate pages