150 likes | 290 Views
ColdFusion Security. Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development http://www.teratech.com 800-447-9120. Introduction. ColdFusion security Keeping hackers out While still letting users and friendly apps in. ColdFusion Security.
E N D
ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development http://www.teratech.com 800-447-9120
Introduction • ColdFusion security • Keeping hackers out • While still letting users and friendly apps in
ColdFusion Security Here is what we will be covering: • System software • OS-> FW -> WS -> DB -> CF • Page parameter validation • User Authentication • Security Resources
1.1 System software • a) Operating System/Webserver • Delete guest and administrator NT server userids (create a user name for administrator) • Get latest Service Packs • Patch ::$DATA and %20 source holes • Use IIS or Website directory security, possibly with CFAuth too. • Clean up the /CGI-BIN directory - dangerous sample scripts
1.2 System software • b) Database • Store database in separate directory from web root or PC. • Move from Access to SQL server – better security features • user ids and passwords that are hard to guess • Delete guest and sa userids • Only give the read/update/delete rights that you need. • Use stored procedures
1.3 System software • c) Firewall • Keeps bad IP packets out • By default keep it out • Prevents hackers from moving from machine to machine • Only open ports that are required - eg for SQL server • Prevent/Record Denial of Service • Proxy access to HTTP • Can get in way of development
1.4 System software • d) ColdFusion • Remove CFDOC dir from live servers • Remove Start/Stop page • Turn off CFDIRECTORY, CFFILE, CFCONTENT, CFOBJECT • Remove any unused CFX and CF tags • Use a dedicated server
2: Page Validation • URL and Form parameters used in SQL • SELECT * FROM EMP WHERE ID = #USERID# • Extra SQL commands http://myserver/page.cfm?ID_VAR=7%20DELETE%20FROM%20MyCustomerTable • | VBA functions - shell() • Use VAL() on parameters or check for ‘ and | • Encrypt Variables
3.1: Authentication • Stateless web - any page can call another - this is good for open sites • Hacker pages call your page with false data • Use CGI. HTTP_REFERER to control who calls you • Use CGI. CF_TEMPLATE_PATH application.cfm control what is run. • Encrypting code • NT auth or LDAP
3.2: Authentication • Protected Header code In your application.cfm or header.cfm to be included in every page. <CFIF cgi.script_name contains "/intranet/"> <cfif left(CGI.REMOTE_ADDR,10) is not "123.456.789"> <cfif not isdefined("session.authorized")> <CFLOCATION URL=”http://www.teratech.com/logon.cfm”> <cfabort> <cfelse> <cfset session.authorized = TRUE> </cfif> </cfif> Your protected links here </cfif>
3.3: Error handling • Never display default CF errors - gives out SQL information • Email error to admin • Don’t explain why attempt failed • Standard processing time
4: Resources • http://www.allaire.com/developer/securityzone/ • Tools you could use to analyze your NT servers • http://www.netect.com • http://www.webtrends.com/wsa • NTSecurity http://ntsecurity.ntadvice.com/
Real Hacks • This spring several commercial ColdFusion sites were hacked or shutdown due to the CFDOCs hole. • Security is hard because a hacker only needs one window to be open to get in while the poor webmaster must work on closing dozens of holes.
What Security Means • Security is a way of thinking - how can they get in... • Get patches and read security bulletins - today’s secure system may be tomorrow's hack! • More knowledge is power - don’t keep security secret!
Next Steps • Conduct a security audit • Download Michael Dinowitz’s http://www.houseoffusion.com/ MunchkinLand.cfm to test your site for holes • Remove CFDOCS • Change database configuration and passwords • Validate pages • Authenticate pages