+ 1 -----Original Message----- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Wednesday, March 26, 2014 12:56 PM To: cf-talk Subject: Re: "The long tail of ColdFusion fail"
I'll weigh in on this for a few reasons. One of the servers in the Krebs article is one that I was called in to fix. I've had to investigate/fix several other breached servers over the past year. All were new to us clients that came to us with a breached server. Another reason is that I maintain a large number of ColdFusion servers at CF Webtools. Another is that other hosting companies contact CF Webtools and myself to assist with ColdFusion server issues. I am not all that concerned about the exploit. All software has bugs. Adobe fixed it pretty quick once it was noticed. Reading David Epler's blog post (http://www.dcepler.net/post.cfm/how-patching-coldfusion-8-0-x-made-you-more-vulnerable-in-some-cases-or-fun-with-cve-2013-0632-from-apsb13-03) may lead you to think that Adobe didn't do proper testing. But that's not the concern here. I know of many properly locked down servers that didn't get hacked even though it was attempted. The concern here is "Who should be responsible for setting up, maintaining and securing a public facing server?" (http://www.trunkful.com/index.cfm/2014/3/7/Who-Patches-Your-ColdFusion-Servers) The short answer is "A qualified systems administrator" and that should be the end of the discussion. I don't care if you're installing ColdFusion, Railo, PHP, .NET, Ruby, MySQL or any other system. If you are not a systems administrator you should not be working on the server. There are no excuses and the costs of making a mistake are growing very quickly. Should the ColdFusion installer do all the things in the lockdown guide for me? The answer is mixed. I'd love to see CFIDE split apart so that CFAdmin is standalone from the scripts. How Adobe does it is up to them. Another change I'd like to see is during the install is to have the option to pick the user account that ColdFusion will run under. This has been an option for the Linux installer, but not on Windows. (At least not that I can remember.) The last item I'd like to see is during the Secure Profile install is that CFAdmin is locked down to localhost by default and the option to add an IP address if needed. I think these changes would be a huge step in persuading the sysadmin into properly securing ColdFusion installations. I know these have been mentioned before and during the ColdFusion 10 beta cycle many new security and installation changes where made. These were deferred. I'd like to see these added this time. I know some people are going to take issue with requiring systems administrators to install and maintain ColdFusion servers. Too bad. I think it is obvious now that the costs of not having a qualified systems administrator are too high. Regards, Wil ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358135 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm