/me takes off 'official' macromedia hat
Some quotes:
" The so-called 'dmz' is a farm of unix boxes/firewalls/security
tools/etc."
"Although temporary use of Macromedia ColdFusion has been approved for
existing systems within the DMZ, it has been proven to be a less secure
environment under the companies protocol certification process.
Beginning immediately, all new application development will require the
use of certified software such as BroadVision. Pre-existing applications
developed using ColdFusion will also require migration to certified
development software by September 30, 2002."
Now, logically, one can assume that what they mean by 'certified' is
that the company itself has a certification 'standard' that they utilize to
validate programs for the DMZ. This is technically not surprising, as many
companies (macromedia included) will refuse to run software inside of the
DMZ unless it meets a certain standard of security.
The problem we have here is actually quite common. It could very
well be a total misunderstanding of the way the actual programs function,
or, it could very well be that someone is on another companies payroll, who
knows. But before anyone jumps to conclusions, look at it this way:
The only way to solve this problem is by proper education.
(A common thing coming from me, the Linux 'fiend' at Allaire/Macromedia)
Therefore, what one would need to do, is to actually track down both
the decision making managers and the committee/people involved in this
decision, and to ask them how they came about their criteria.
I almost guarantee you they will pull some of ColdFusion's darker
moments out of the bag, including old exploits and news articles concerning
those same old exploits (having served as the ColdFusion security guy for a
little while, I know about these first hand)...
They might point you to things like:
http://www.allaire.com/handlers/index.cfm?ID=14557&Method=Full
or,
http://www.allaire.com/handlers/index.cfm?ID=21566&Method=Full
Or, further in the past, but still commonly waved about:
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full
http://www.allaire.com/handlers/index.cfm?ID=10969&Method=Full
Better yet, a lot of people I talk to say "My friend/coworker/consultant
said that ColdFusion was insecure." If you ask that person how they came
about that information, commonly they will refer to things they saw in the
past on other mailing lists and news sites regarding sample applications,
decrypted code, etc.
The best way to handle situations like this is to refer people questioning
the viability of programs like ColdFusion server to
http://www.allaire.com/security
Yes, they will point out the fact that there are a lot of
'vulnerabilities/notifications' there, but to be honest, when I was the
security guy, I liked to think that we tried to give as much information to
you, the end-user as possible.
Although full disclosure is not always viable (please don't flame me! =]) I
like to think we stick as close as we can to it. We don't hide things.
But, back on what I was going to say.
A lot of times, I think what happens with many situations like this the
"Coldfusion is insecure" comes from both FUD and a general misunderstanding
of the way the application server actually functions. Here's some pointers:
FUD 1: users can access the CFIDE directory and 0wnz0r my box!
Answer: Yes, because you didn't read: "Security Best Practice: Securing the
ColdFusion Administrator" (
http://www.allaire.com/Handlers/index.cfm?ID=10954&Method=Full ) where it
says: "Removing the /CFIDE/Administrator directory from the web server when
the ColdFusion Administrator is not in use. "
On linux: mv /var/www/html/CFIDE /opt/coldfusion/
This will disable the CFADMIN until such time as it is needed.
FUD 2: But ColdFusion is inherently insecure!
Answer: Huh? An application server which doesn't open a single port (RDS is
optional, remember?) and sits there handing requests back and forth
internally, rather than over TCP/IP... Oh! You probably mean the fact that
the language is insecure? I think not. Remember, a program is only as good
as it's coder. Not to mention, yes, there have been language security
issues. But many of them actually involved the actual usage of a given tag
or function in a non-standard or unsafe way.
Questions? Email [EMAIL PROTECTED] , read
http://www.allare.com/security
To say ColdFusion is inherently insecure is to literally say that every
single other scripting language and app server on the market today
(including server side java) is inherently flawed. Even PHP, Perl, C#, among
others.
FUD 3: I saw it on the news...
Answer: It's already been addressed. The biggest problem we face as a vendor
is information dissemination. Yes, we have security holes, we don't hide
that. People can crack/hack/0wnz0r anything if they put their minds to it.
However, we can only do so much. Look at the defacement archives around the
net. Some of them say "h4h4h4h4 - 1 owned j00r coldfusion" then, when you
look at it, the people running that box had *never* ran a single security
patch on their system. They got done in by some ancient, and VERY patched
example application exploit, or they left the CFADMIN open.
We try to send out notifications to users regarding exploits and security
issues, but we cannot reach everyone (unless you want us to program in a
little backdoor that'll silently and automatically fix everything...
/joke!!!!) reaching every single one of our users is a technical
implausibility.
Look at Microsoft, the number 1 software vendor in the world, look at what
they suffer from, they send out a patch for IIS. The patch sits there for
over 2 years!!! Then, some worm comes along, and decides to exploit a 2 year
old bug. Come to find out, a good 10% of servers still haven't been patched.
Typically, blame falls on the vendor. This is not the way things should be,
but the way things are nonetheless.
(For full disclosure: I am a Linux/Apache fiend. The above statement was
hard to actually force my hands to type, but it's true.)
FUD 4: Because coldfusion on Linux doesn't support advanced security, it's
insecure...
Answer: Uhm... Hows that? Move CFIDE. Viola, as long as your not in a
heavily shared environment, you should be fine (People in hosting
environments need to take extra steps, but you get the idea.)
.. Well, I'll stop talking now, and climb down off my soapbox. In closing
however, I'll admit, Allaire (Now macromedia) has stumbled along the way.
We've made our mistakes. We've tried to correct these mistakes in a quick
and easy (and semi painless) manner.
Government agencies, banks, schools, hosting servers, e-commerce... These
are some of the places ColdFusion can be found.
I think if we work for them, we'll work for you.
-Jesse
P.S: Sorry for the long windedness of the email.
/me put back on the macromedia hat
-----Original Message-----
From: Michael Vinson [mailto:[EMAIL PROTECTED]]
Sent: Sunday, September 23, 2001 11:04 PM
To: CF-Talk
Subject: once upon a time...
. a large hypothetical company in a hypothetical land on an imaginary
planet issued the following memo...
[begin hypothetical quote]
What is a Control Environment and DMZ?
Many of you have received a number of internal memos on the importance
of a "control environment." This environment encompasses all elements of
controlling business processes to assure integrity of our information
and protection of our financial, physical and intellectual assets.
In an effort to alleviate the potential risk of breaches to our network
from the Internet, an enhanced Demilitarized Zone (DMZ) is being
developed as part of our control environment. The DMZ enables a company
to offer secured services for a public Internet presence without
compromising it's internal network, data, servers and systems. One
component of a DMZ involves the use of firewalls that allow specific
communications protocols to pass through its ports.
As part of our DMZ control environment, all protocols utilized by
specific application software will be tested and certified.
How does Macromedia ColdFusion impact me?
Macromedia ColdFusion is a web application server and programming
framework that allows developers to create dynamic web-based
applications with database connectivity.
Although temporary use of Macromedia ColdFusion has been approved for
existing systems within the DMZ, it has been proven to be a less secure
environment under the companies protocol certification process.
Beginning immediately, all new application development will require the
use of certified software such as BroadVision. Pre-existing applications
developed using ColdFusion will also require migration to certified
development software by September 30, 2002.
[end quote]
. a couple of comments/questions/thoughts for the list...
· Is this double-speak? Are they saying no CF for public consumption
(internet) or no CF at all?
· The so-called 'dmz' is a farm of unix boxes/firewalls/security
tools/etc.
· It strikes me that many people on this list building "business"
applications for "large" organizations... What kind of management edicts
are you dealing with, if any?
· Anyone working with BroadVision? Any truth to rumours of BroadVision
closing up shop?
Thanks, Mike
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
