Download presentation
Presentation is loading. Please wait.
Published byGriffin Flynn Modified over 9 years ago
1
ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development http://www.teratech.com 800-447-9120
2
Introduction n ColdFusion security n Keeping hackers out n While still letting users and friendly apps in
3
ColdFusion Security Here is what we will be covering: n System software u OS-> FW -> WS -> DB -> CF n Page parameter validation n User Authentication n Security Resources
4
1.1 System software n a) Operating System/Webserver Delete guest and administrator NT server userids (create a user name for administrator) Get latest Service Packs Patch ::$DATA and %20 source holes Use IIS or Website directory security, possibly with CFAuth too. Clean up the /CGI-BIN directory - dangerous sample scripts
5
1.2 System software n b) Database Store database in separate directory from web root or PC. Move from Access to SQL server – better security features user ids and passwords that are hard to guess Delete guest and sa userids Only give the read/update/delete rights that you need. Use stored procedures
6
1.3 System software n c) Firewall Keeps bad IP packets out By default keep it out Prevents hackers from moving from machine to machine Only open ports that are required - eg for SQL server Prevent/Record Denial of Service Proxy access to HTTP Can get in way of development
7
1.4 System software n d) ColdFusion Remove CFDOC dir from live servers Remove Start/Stop page Turn off CFDIRECTORY, CFFILE, CFCONTENT, CFOBJECT Remove any unused CFX and CF tags Use a dedicated server
8
2: Page Validation n URL and Form parameters used in SQL u SELECT * FROM EMP WHERE ID = #USERID# u Extra SQL commands http://myserver/page.cfm?ID_VAR=7%20DELETE%2 0FROM%20MyCustomerTable u | VBA functions - shell() n Use VAL() on parameters or check for ‘ and | n Encrypt Variables
9
3.1: Authentication n Stateless web - any page can call another - this is good for open sites n Hacker pages call your page with false data n Use CGI. HTTP_REFERER to control who calls you n Use CGI. CF_TEMPLATE_PATH application.cfm control what is run. n Encrypting code n NT auth or LDAP
10
3.2: Authentication u Protected Header code In your application.cfm or header.cfm to be included in every page. Your protected links here
11
3.3: Error handling n Never display default CF errors - gives out SQL information n Email error to admin n Don’t explain why attempt failed n Standard processing time
12
4: Resources n http://www.allaire.com/developer/s ecurityzone/ n Tools you could use to analyze your NT servers u http://www.netect.comhttp://www.netect.com u http://www.webtrends.com/wsahttp://www.webtrends.com/wsa n NTSecurity http://ntsecurity.ntadvice.com/ http://ntsecurity.ntadvice.com/
13
Real Hacks n This spring several commercial ColdFusion sites were hacked or shutdown due to the CFDOCs hole. n Security is hard because a hacker only needs one window to be open to get in while the poor webmaster must work on closing dozens of holes.
14
What Security Means n Security is a way of thinking - how can they get in... n Get patches and read security bulletins - today’s secure system may be tomorrow's hack! n More knowledge is power - don’t keep security secret!
15
Next Steps n Conduct a security audit u Download Michael Dinowitz’s http://www.houseoffusion.com/ MunchkinLand.cfm to test your site for holes u Remove CFDOCS n Change database configuration and passwords n Validate pages n Authenticate pages
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.