Hi Larry, There has been a LOT of attacks targeting ColdFusion lately, it's time for us all to step up our security practices. There is a lot you can do to harden your server installation, and your application code beyond what you have mentioned. Security is one of those things that you can never say ok, everything is secure I can check that off my list and move on, it is a constant ongoing thing you need to always be working on.
Some things to get started: 1) Follow the CF10 lockdown guide: https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf 2) If you can remove your need for /CFIDE this can make lockdown easier because you can just block it 3) Another very important thing to check besides that your queries have been cfqueryparamed is to check all your file operations for vulnerabilities. Here are some tips for file uploads: http://www.petefreitag.com/item/701.cfm you should also make check any file operation that uses variables that can be tainted by the requester, for example <cfinclude template="static/#url.path#.html"> could be used to download any file CF has access to (not just html files). 4) Leverage some of the new session functions in CF10 like SessionRotate (after a successful login), SessionInvalidate (on logout). 5) Employ redundant layers of security (defense in depth), for example using a web application firewall, such as the one my company makes http://fuseguard.com/ there are other ones that are non specific to CF as well. 6) Use security monitoring and scanning tools, such as a PCI scanner, and http://hackmycf.com/ (note HackMyCF is not a PCI scanner, you should still use a PCI scanner in addition to HackMyCF, which is highly CF specific). 7) I could go on and on, so go and register for cf.Objective() where you can hear a several presentations on CF security given by David Epler, Phil Duba, Bilal Soylu, and myself: http://www.cfobjective.com/sessions/ you can find some of my past presentations here: http://www.petefreitag.com/tag/security which also give a lot more detail than we can get into on this thread. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Mar 5, 2013 at 9:03 AM, Stephens, Larry V <steph...@iu.edu> wrote: > > Our webserver utilizing CF8 was hacked. We're not sure how (in what > manner), at least at this point, but I am in the process of moving all CF > stuff to a new server using CF10. > > I am checking all #variables# used in queries to be sure cfqueryparam is > used. We are moving everything from MS Access to SQL Server. > > I am shedding all cfajaximport's and using jQuery ajax calls. While I > don't *think* this is security related, I am also eliminating all cfform's > (but, see below). > > Q1: By eliminating cfajaximport does the public need access to CFIDE or > can I lock that down to my access, only? I recall having an issue with > validation in cfform that had to do with not finding CFIDE (but I'm > eliminating that issue). > > Q2: As far as CF goes, anything we're missing? > > Thanks. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354854 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
