ColdFusion Security - PowerPoint PPT Presentation

About This Presentation
Title:

ColdFusion Security

Description:

Delete guest and administrator NT server userids (create a user name for administrator) ... Use IIS or Website directory security, possibly with CFAuth too. ... – PowerPoint PPT presentation

Number of Views:304
Avg rating:3.0/5.0
Slides: 16
Provided by: michael118
Category:

less

Transcript and Presenter's Notes

Title: ColdFusion Security


1
ColdFusion Security
  • Michael Smith
  • President
  • TeraTech, Inc
  • ColdFusion, Database VB custom development
  • http//www.teratech.com
  • 800-447-9120

2
Introduction
  • ColdFusion security
  • Keeping hackers out
  • While still letting users and friendly apps in

3
ColdFusion Security
  • Here is what we will be covering
  • System software
  • OS-gt FW -gt WS -gt DB -gt CF
  • Page parameter validation
  • User Authentication
  • Security Resources

4
1.1 System software
  • a) Operating System/Webserver
  • Delete guest and administrator NT server userids
    (create a user name for administrator)
  • Get latest Service Packs
  • Patch DATA and 20 source holes
  • Use IIS or Website directory security, possibly
    with CFAuth too.
  • Clean up the /CGI-BIN directory - dangerous
    sample scripts

5
1.2 System software
  • b) Database
  • Store database in separate directory from web
    root or PC.
  • Move from Access to SQL server better security
    features
  • user ids and passwords that are hard to guess
  • Delete guest and sa userids
  • Only give the read/update/delete rights that you
    need.
  • Use stored procedures

6
1.3 System software
  • c) Firewall
  • Keeps bad IP packets out
  • By default keep it out
  • Prevents hackers from moving from machine to
    machine
  • Only open ports that are required - eg for SQL
    server
  • Prevent/Record Denial of Service
  • Proxy access to HTTP
  • Can get in way of development

7
1.4 System software
  • d) ColdFusion
  • Remove CFDOC dir from live servers
  • Remove Start/Stop page
  • Turn off CFDIRECTORY, CFFILE, CFCONTENT, CFOBJECT
  • Remove any unused CFX and CF tags
  • Use a dedicated server

8
2 Page Validation
  • URL and Form parameters used in SQL
  • SELECT FROM EMP WHERE ID USERID
  • Extra SQL commands
  • http//myserver/page.cfm?ID_VAR720DELETE20FROM
    20MyCustomerTable
  • VBA functions - shell()
  • Use VAL() on parameters or check for and
  • Encrypt Variables

9
3.1 Authentication
  • Stateless web - any page can call another - this
    is good for open sites
  • Hacker pages call your page with false data
  • Use CGI. HTTP_REFERER to control who calls you
  • Use CGI. CF_TEMPLATE_PATH application.cfm control
    what is run.
  • Encrypting code
  • NT auth or LDAP

10
3.2 Authentication
  • Protected Header code
  • In your application.cfm or header.cfm to be
    included in every page.
  • ltCFIF cgi.script_name contains "/intranet/"gt
  • ltcfif left(CGI.REMOTE_ADDR,10) is not
    "123.456.789"gt
  • ltcfif not isdefined("session.authorized")gt
  • ltCFLOCATION URLhttp//www.teratech.com/logon.cfm
    gt
  • ltcfabortgt
  • ltcfelsegt
  • ltcfset session.authorized TRUEgt
  • lt/cfifgt
  • lt/cfifgt
  • Your protected links here lt/cfifgt

11
3.3 Error handling
  • Never display default CF errors - gives out SQL
    information
  • Email error to admin
  • Dont explain why attempt failed
  • Standard processing time

12
4 Resources
  • http//www.allaire.com/developer/securityzone/
  • Tools you could use to analyze your NT servers
  • http//www.netect.com
  • http//www.webtrends.com/wsa
  • NTSecurity http//ntsecurity.ntadvice.com/

13
Real Hacks
  • This spring several commercial ColdFusion sites
    were hacked or shutdown due to the CFDOCs hole.
  • Security is hard because a hacker only needs one
    window to be open to get in while the poor
    webmaster must work on closing dozens of holes.

14
What Security Means
  • Security is a way of thinking - how can they get
    in...
  • Get patches and read security bulletins - todays
    secure system may be tomorrow's hack!
  • More knowledge is power - dont keep security
    secret!

15
Next Steps
  • Conduct a security audit
  • Download Michael Dinowitzs http//www.houseoffusi
    on.com/ MunchkinLand.cfm to test your site for
    holes
  • Remove CFDOCS
  • Change database configuration and passwords
  • Validate pages
  • Authenticate pages
Write a Comment
User Comments (0)
About PowerShow.com