1 / 15

ColdFusion Security

ColdFusion Security. Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development http://www.teratech.com 800-447-9120. Introduction. ColdFusion security Keeping hackers out While still letting users and friendly apps in. ColdFusion Security.

dora
Download Presentation

ColdFusion Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development http://www.teratech.com 800-447-9120

  2. Introduction • ColdFusion security • Keeping hackers out • While still letting users and friendly apps in

  3. ColdFusion Security Here is what we will be covering: • System software • OS-> FW -> WS -> DB -> CF • Page parameter validation • User Authentication • Security Resources

  4. 1.1 System software • a) Operating System/Webserver • Delete guest and administrator NT server userids (create a user name for administrator) • Get latest Service Packs • Patch ::$DATA and %20 source holes • Use IIS or Website directory security, possibly with CFAuth too. • Clean up the /CGI-BIN directory - dangerous sample scripts

  5. 1.2 System software • b) Database • Store database in separate directory from web root or PC. • Move from Access to SQL server – better security features • user ids and passwords that are hard to guess • Delete guest and sa userids • Only give the read/update/delete rights that you need. • Use stored procedures

  6. 1.3 System software • c) Firewall • Keeps bad IP packets out • By default keep it out • Prevents hackers from moving from machine to machine • Only open ports that are required - eg for SQL server • Prevent/Record Denial of Service • Proxy access to HTTP • Can get in way of development

  7. 1.4 System software • d) ColdFusion • Remove CFDOC dir from live servers • Remove Start/Stop page • Turn off CFDIRECTORY, CFFILE, CFCONTENT, CFOBJECT • Remove any unused CFX and CF tags • Use a dedicated server

  8. 2: Page Validation • URL and Form parameters used in SQL • SELECT * FROM EMP WHERE ID = #USERID# • Extra SQL commands http://myserver/page.cfm?ID_VAR=7%20DELETE%20FROM%20MyCustomerTable • | VBA functions - shell() • Use VAL() on parameters or check for ‘ and | • Encrypt Variables

  9. 3.1: Authentication • Stateless web - any page can call another - this is good for open sites • Hacker pages call your page with false data • Use CGI. HTTP_REFERER to control who calls you • Use CGI. CF_TEMPLATE_PATH application.cfm control what is run. • Encrypting code • NT auth or LDAP

  10. 3.2: Authentication • Protected Header code In your application.cfm or header.cfm to be included in every page. <CFIF cgi.script_name contains "/intranet/"> <cfif left(CGI.REMOTE_ADDR,10) is not "123.456.789"> <cfif not isdefined("session.authorized")> <CFLOCATION URL=”http://www.teratech.com/logon.cfm”> <cfabort> <cfelse> <cfset session.authorized = TRUE> </cfif> </cfif> Your protected links here </cfif>

  11. 3.3: Error handling • Never display default CF errors - gives out SQL information • Email error to admin • Don’t explain why attempt failed • Standard processing time

  12. 4: Resources • http://www.allaire.com/developer/securityzone/ • Tools you could use to analyze your NT servers • http://www.netect.com • http://www.webtrends.com/wsa • NTSecurity http://ntsecurity.ntadvice.com/

  13. Real Hacks • This spring several commercial ColdFusion sites were hacked or shutdown due to the CFDOCs hole. • Security is hard because a hacker only needs one window to be open to get in while the poor webmaster must work on closing dozens of holes.

  14. What Security Means • Security is a way of thinking - how can they get in... • Get patches and read security bulletins - today’s secure system may be tomorrow's hack! • More knowledge is power - don’t keep security secret!

  15. Next Steps • Conduct a security audit • Download Michael Dinowitz’s http://www.houseoffusion.com/ MunchkinLand.cfm to test your site for holes • Remove CFDOCS • Change database configuration and passwords • Validate pages • Authenticate pages

More Related