RE: ColdFusion Security Holes - Best Practices
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm First off, that is an ignorant statement. That security consultant needs a little edumacation. I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. With what IP Address? Yours? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220300 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
Anyone can get the IP Address of the server, simply ping the domain name. Now, depending on the security patches of the server and how it is configured will determine if you can do anything else. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:54 AM To: CF-Talk Subject: ColdFusion Security Holes - Best Practices I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220301 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion Security Holes - Best Practices
For what its worth, I have never had a problem finding the IP address for a server using nslookup on my PC. Not to mention what you can find out using these sites. http://www.dnsreport.com/ http://www.dnsstuff.com/ You can change how errors are shown by making changes in the debugging section of the CF Admin. Phil On 10/7/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220303 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion Security Holes - Best Practices
Because the IP address of a server should be hidden There are always simple methods to find the answering IP for a domain. If there wasn't a way to find the ip address for a given domain name, then DNS wouldn't work. Also, even if you're not trapping the error the screen shows the REMOTE_ADDRESS, which is the client machine's address, not the server's. Obviously, Wally is a bit of a moron. I would imagine that he's trying to sound intelligent and scare people away from a specific area of technology about which he has no clue. You run into these people all the time in this business. I always find it highly entertaining to poke fun at them. --Ferg Michael T. Tangorre wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm First off, that is an ignorant statement. That security consultant needs a little edumacation. I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. With what IP Address? Yours? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220304 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
Randy, H actually, the error in question doesn't expose the IP address of the server (internal or external). Instead it exposes the cgi.remote_addr address - the address of the client making the request. Is this the error you are seeing? --- The filename, directory name, or volume label syntax is incorrect Please try the following: Check the ColdFusion documentation to verify that you are using the correct syntax. Search the Knowledge Base to find a solution to your problem. Browser Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215) Remote Address 10.0.0.11 Referrer The address info listed there is that of my laptop - not my server. -Mark -Original Message- From: Adkins, Randy [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:09 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices Anyone can get the IP Address of the server, simply ping the domain name. Now, depending on the security patches of the server and how it is configured will determine if you can do anything else. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:54 AM To: CF-Talk Subject: ColdFusion Security Holes - Best Practices I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220305 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
CORRECTION: (sorry Wally) Re: ColdFusion Security Holes - Best Practices
Sorry, I thought Wally was the name of the security consultant, here -- not the OP. My sincere apologies to Wally; it seems I'm the moron who can't read a full post!!! So correct my message to read that Wally's security consultant is a bit of a moron. --Ferg I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220307 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
And to poke big gaping holes in their stories. That's my favorite part. !//-- andy matthews web developer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Ken Ferguson [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:22 AM To: CF-Talk Subject: Re: ColdFusion Security Holes - Best Practices Because the IP address of a server should be hidden There are always simple methods to find the answering IP for a domain. If there wasn't a way to find the ip address for a given domain name, then DNS wouldn't work. Also, even if you're not trapping the error the screen shows the REMOTE_ADDRESS, which is the client machine's address, not the server's. Obviously, Wally is a bit of a moron. I would imagine that he's trying to sound intelligent and scare people away from a specific area of technology about which he has no clue. You run into these people all the time in this business. I always find it highly entertaining to poke fun at them. --Ferg Michael T. Tangorre wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm First off, that is an ignorant statement. That security consultant needs a little edumacation. I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. With what IP Address? Yours? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220308 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion Security Holes - Best Practices
First of all, IP address are by nature, public information. Thats like saying your house is less secure because a burglar can find your address in the yellow pages. Secondly, this security _expert_ is no expert. Any expert wouldn't make such blanket statements like CF is less secure. In fact, in comparison .NET is a lot less secure than CF due to its deep ties with the operating system. Finally, any server is as secure as you make it. Just as any application is as secure as you code it. Simply using a site-wide error handler would prevent the prior example from displaying the internal error message. -Adam On 10/7/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220309 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
Phil, From a security standpoint there is the address of the server via DNS (easily obtained) and then there is the address of the server as it exists on the internal network or DMZ of the host. Depending on the network setup this may be quite different and in certain instances can be valuable to a malicious programmer. -Mark -Original Message- From: Phill B [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:15 AM To: CF-Talk Subject: Re: ColdFusion Security Holes - Best Practices For what its worth, I have never had a problem finding the IP address for a server using nslookup on my PC. Not to mention what you can find out using these sites. http://www.dnsreport.com/ http://www.dnsstuff.com/ You can change how errors are shown by making changes in the debugging section of the CF Admin. Phil On 10/7/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220310 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
Hmmm, well. That type of error can happen to a lot of languages. The thing is that is not an issue for CF to trap. Instead you would configure your webserver to trap the error. If you refer various CF books that talk about errors what you would want to do is create a custom handler for bad requests. I believe most webservers can do this. Check the documentation of your webserver. IIS has a very easy to use handler. Again this is not really a CF issue. Secondly the information is not all that useful. There are lots of ways to get an IP address, and just because you have it does not mean you have some easy way to access. Heck I could give you my internal Ips right now and that wouldn't make it any easier for you to break into my system. I think the security consultant is over simplifing things or perhaps needs more real world experience, don't know. But do let his comment dissuade you. The issue he mentioned is easy to deal with. Hey if Ben Forta's site falls for this error and he is not worried, that should tell you something. Good Luck Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:54 AM To: CF-Talk Subject: ColdFusion Security Holes - Best Practices I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220313 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
From: Mark A Kruger [mailto:[EMAIL PROTECTED] From a security standpoint there is the address of the server via DNS (easily obtained) and then there is the address of the server as it exists on the internal network or DMZ of the host. Depending on the network setup this may be quite different and in certain instances can be valuable to a malicious programmer. And there are always the people who have CF on a separate server than the web server ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220314 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion Security Holes - Best Practices
On 10/7/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. On Apache 2 (Win or *nix) with MX7 it does not return an IP. On IIS4 (WinNT4.5) with CF4.5 it does not return an IP. I'm guessing you're looking at sites the either a) have debugging turned on b) don't have (site-wide/missing template) error handlers c) both of the above What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? Umm, you and your security consultant both realize that if it's a publically accessible ColdFusion server (e.g. a box running web server and cf that allows http traffic to it) that it's IP address is *always* exposed. You know, through DNS -- the thing that makes the Internet work. This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. Sure you can. You've got a whole layer of application you can work with -- the web server. Especially on Apache (which I know far better) you can control the behavior of error pages with fine grained control to look like whatever you want. You can filter using mod_rewrite or equiv. You can use one of the security adaptors for Apache. There are tons of possiblities Plus on CFMX you have the capability of using servlet filters to preprocess (or postprocess) requests to filter/change/modify anything you want. Good security consultants do not make absolute claims like the one your security consultant did. ColdFusion can be hacked like any other application -- but outside of things like cross-site scripting and sql injection, you're not likely to have your *server* compromised by CF problems (now your *application* can be hacked, but that's different). Web server cracks let's folks take over your server -- and then launch further attacks on the rest of your network. There are some scenarios that let CFMX cause real problems (eg arbitrary file upload) but those are security vulnerabilities from programming errors and are possible in most languages, not just CF. You may wish to take a look at http://www.owasp.org, the Open Web Application Security Project, which has a lot of resources for security your web applications. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220315 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion Security Holes - Best Practices
On 10/7/05, Mark A Kruger [EMAIL PROTECTED] wrote: Phil, From a security standpoint there is the address of the server via DNS (easily obtained) and then there is the address of the server as it exists on the internal network or DMZ of the host. Depending on the network setup this may be quite different and in certain instances can be valuable to a malicious programmer. -Mark While this is true, making use of that IP address requires typically requires a more serious compromise so you can actually DO something to the internal/DMZ address. It *does* mean they can skip a scan step (which may be detected) against the internal network (say scanning 192.168.* or 10.* to find hosts) and begin cracking against the CF server (likely by attacking the web server if it's there, or the OS directly). But it also means they are ALREADY in your DMZ (or internal network) if they can do anything with the information. And I'll concur -- the security guy is an idiot. (Oh, no, here I go again with calling people security idiots) -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220317 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
I am not the one seeing the error. I was just commenting that you Could find out the IP address of the server using the domain name And the ping command. I know you would see the CGI.REMOTE_ADDR. That is part of the cgi variables. Wally was the one looking for the resolution -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 9:17 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices Randy, H actually, the error in question doesn't expose the IP address of the server (internal or external). Instead it exposes the cgi.remote_addr address - the address of the client making the request. Is this the error you are seeing? --- The filename, directory name, or volume label syntax is incorrect Please try the following: Check the ColdFusion documentation to verify that you are using the correct syntax. Search the Knowledge Base to find a solution to your problem. Browser Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215) Remote Address 10.0.0.11 Referrer The address info listed there is that of my laptop - not my server. -Mark -Original Message- From: Adkins, Randy [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:09 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices Anyone can get the IP Address of the server, simply ping the domain name. Now, depending on the security patches of the server and how it is configured will determine if you can do anything else. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:54 AM To: CF-Talk Subject: ColdFusion Security Holes - Best Practices I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220318 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
But the server using the domain name may not be the server which has the site on it. -Original Message- From: Adkins, Randy [mailto:[EMAIL PROTECTED] Sent: 07 October 2005 14:40 To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices I am not the one seeing the error. I was just commenting that you Could find out the IP address of the server using the domain name And the ping command. I know you would see the CGI.REMOTE_ADDR. That is part of the cgi variables. Wally was the one looking for the resolution -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 9:17 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices Randy, H actually, the error in question doesn't expose the IP address of the server (internal or external). Instead it exposes the cgi.remote_addr address - the address of the client making the request. Is this the error you are seeing? --- The filename, directory name, or volume label syntax is incorrect Please try the following: Check the ColdFusion documentation to verify that you are using the correct syntax. Search the Knowledge Base to find a solution to your problem. Browser Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215) Remote Address 10.0.0.11 Referrer The address info listed there is that of my laptop - not my server. -Mark -Original Message- From: Adkins, Randy [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:09 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices Anyone can get the IP Address of the server, simply ping the domain name. Now, depending on the security patches of the server and how it is configured will determine if you can do anything else. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:54 AM To: CF-Talk Subject: ColdFusion Security Holes - Best Practices I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220320 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion Security Holes - Best Practices
I know. His security expert obviously doesn't. Wally should know that there is plenty of his server information available via web sites and utilities. He will then be more informed and can deal with these security experts in the future. On 10/7/05, Mark A Kruger [EMAIL PROTECTED] wrote: Phil, From a security standpoint there is the address of the server via DNS (easily obtained) and then there is the address of the server as it exists on the internal network or DMZ of the host. Depending on the network setup this may be quite different and in certain instances can be valuable to a malicious programmer. -Mark ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220321 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion Security Holes - Best Practices
it will generate an error message that gives you the IP address of the CF server: This guy talks about something he knows nothing about. First, the IP addresse exposed is ... yours, not a big help if you're a hacker... Secondly, I'm pretty sure any hacker can get the IP address behind any domaine name just with a simple DNS lookup; and even a beginner can consult one of the may sites that offer the service for free: http://www.hcidata.co.uk/host2ip.htm http://www.whois.sc/ http://www.networksolutions.com/whois/index.jhtml To cite just a few that will even give you the phone number of the domaine name owner so you can even call him directly and ask him whatever you want to know about his server ;-)) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220322 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
Michael, Yes there are ... but that's not important right now - and stop calling me shirely :) Here's what I'm saying. Many web servers are hosted behind a firewall and exist on a NAT network with static mappings. A PIX or other ALG capable firewall uses packet inspection to forward requests to an internal address. So the outside IP is the public address of the site (204.23.28.x) and the inside address is something else - usually from a non-routable subnet like 10.x.x.x or 192.x.x.x or 172.x.x.x This enables network admin to set up internal networks subnets that are simplified - even if they have a large pool of disparate ips on different subnets from multiple providers (as most do). This internal address may be helpful to a hacker who can otherwise gain access to that internal space. I'm not saying it could be used as a magic bullet to break into the system - but as a matter of practice you don't want internal ips and internal servernames (netbios names) to be public. -Mark Mark A. Kruger, CFG, MCSE www.cfwebtools.com www.necfug.com http://mkruger.cfwebtools.com -Original Message- From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:28 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices From: Mark A Kruger [mailto:[EMAIL PROTECTED] From a security standpoint there is the address of the server via DNS (easily obtained) and then there is the address of the server as it exists on the internal network or DMZ of the host. Depending on the network setup this may be quite different and in certain instances can be valuable to a malicious programmer. And there are always the people who have CF on a separate server than the web server ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220323 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
See I love that phone call approach. That's one that most hackers miss I think. Of course it requires human contact so it may be beyond their skill level.. -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 9:01 AM To: CF-Talk Subject: Re: ColdFusion Security Holes - Best Practices it will generate an error message that gives you the IP address of the CF server: This guy talks about something he knows nothing about. First, the IP addresse exposed is ... yours, not a big help if you're a hacker... Secondly, I'm pretty sure any hacker can get the IP address behind any domaine name just with a simple DNS lookup; and even a beginner can consult one of the may sites that offer the service for free: http://www.hcidata.co.uk/host2ip.htm http://www.whois.sc/ http://www.networksolutions.com/whois/index.jhtml To cite just a few that will even give you the phone number of the domaine name owner so you can even call him directly and ask him whatever you want to know about his server ;-)) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220325 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion Security Holes - Best Practices
On Friday 07 October 2005 15:08, Mark A Kruger wrote: so you can even call him directly and ask him whatever you want to know about his server ;-)) He will, of course, be well trained in counter-social engineering and work for a company with well defined and enforced information security policies, and immediately demand to know who you are, where you got the number and when would be a good time to call back. -- Tom Chiverton Advanced ColdFusion Programmer ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220331 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
When I did it, it gave me the standard CF error with MY ip address. CF MX 7 -Original Message- From: Michael T. Tangorre [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 6:03 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm First off, that is an ignorant statement. That security consultant needs a little edumacation. I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. With what IP Address? Yours? ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220338 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
then lets hope they dont have the show ip address extension for firefox. ~Dave the disruptor~ Some people just don't appreciate how difficult it is to dispense wisdom and abuse at the same time. From: Mark A Kruger [EMAIL PROTECTED] Sent: Friday, October 07, 2005 9:25 AM To: CF-Talk cf-talk@houseoffusion.com Subject: RE: ColdFusion Security Holes - Best Practices Phil, From a security standpoint there is the address of the server via DNS (easily obtained) and then there is the address of the server as it exists on the internal network or DMZ of the host. Depending on the network setup this may be quite different and in certain instances can be valuable to a malicious programmer. -Mark -Original Message- From: Phill B [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:15 AM To: CF-Talk Subject: Re: ColdFusion Security Holes - Best Practices For what its worth, I have never had a problem finding the IP address for a server using nslookup on my PC. Not to mention what you can find out using these sites. http://www.dnsreport.com/ http://www.dnsstuff.com/ You can change how errors are shown by making changes in the debugging section of the CF Admin. Phil On 10/7/05, [EMAIL PROTECTED] wrote: I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220340 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: ColdFusion Security Holes - Best Practices
You're totally right Thomas. Better to use the phone number to get the address, follow him (where him is any suitable employee) from work to the bar, lift his security badge / keycard after he's 3-sheets-to-the-wind, excuse yourself, drive back and enter the building, locate the server room, sit down in front of the machine and have fun Security always has holes -- always!!! I think the point we've all managed to illustrate is that CF is not a security risk in and of itself. CF, .NET, PHP... installations are all just as easily easily left insecure by bad practices and with relatively equivalent ease can be made just about equally secure. --Ferg. Thomas Chiverton wrote: On Friday 07 October 2005 15:08, Mark A Kruger wrote: so you can even call him directly and ask him whatever you want to know about his server ;-)) He will, of course, be well trained in counter-social engineering and work for a company with well defined and enforced information security policies, and immediately demand to know who you are, where you got the number and when would be a good time to call back. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220343 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
Yea, personally I don't remember ever reading any security advisories about ColdFusion. Sure coldfusion has bugs, but I don't ever remember anything serious enough to allow people to hack into the server. (although a poorly configured server is probably full of holes, but that's not coldfusion's fault). Meanwhile I remember a lot of very dangerous bugs in ASP and PHP which caused people's machines to be rooted. That security consultant needs to stop using the knowledge he learned at some fly-by-night security school, and get a real education. Russ -Original Message- From: Ken Ferguson [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 11:10 AM To: CF-Talk Subject: Re: ColdFusion Security Holes - Best Practices You're totally right Thomas. Better to use the phone number to get the address, follow him (where him is any suitable employee) from work to the bar, lift his security badge / keycard after he's 3-sheets-to-the-wind, excuse yourself, drive back and enter the building, locate the server room, sit down in front of the machine and have fun Security always has holes -- always!!! I think the point we've all managed to illustrate is that CF is not a security risk in and of itself. CF, .NET, PHP... installations are all just as easily easily left insecure by bad practices and with relatively equivalent ease can be made just about equally secure. --Ferg. Thomas Chiverton wrote: On Friday 07 October 2005 15:08, Mark A Kruger wrote: so you can even call him directly and ask him whatever you want to know about his server ;-)) He will, of course, be well trained in counter-social engineering and work for a company with well defined and enforced information security policies, and immediately demand to know who you are, where you got the number and when would be a good time to call back. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220345 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
I remember one advisory, it was related to CF3 Administrator. The password field length was only secured by the form maxlength attribute, not on server side. Thus, someone could kill a CF server by posting to the administrator login screen password field some very long string. The application would than try to compare that string with actual password - which was a time consuming operation for large strings. Through this in itself doesn't give root access it crashes the CF server and possibly makes server hacking easier. TK -Original Message- From: Russ [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 11:12 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices Yea, personally I don't remember ever reading any security advisories about ColdFusion. Sure coldfusion has bugs, but I don't ever remember anything serious enough to allow people to hack into the server. (although a poorly configured server is probably full of holes, but that's not coldfusion's fault). Meanwhile I remember a lot of very dangerous bugs in ASP and PHP which caused people's machines to be rooted. That security consultant needs to stop using the knowledge he learned at some fly-by-night security school, and get a real education. Russ -Original Message- From: Ken Ferguson [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 11:10 AM To: CF-Talk Subject: Re: ColdFusion Security Holes - Best Practices You're totally right Thomas. Better to use the phone number to get the address, follow him (where him is any suitable employee) from work to the bar, lift his security badge / keycard after he's 3-sheets-to-the-wind, excuse yourself, drive back and enter the building, locate the server room, sit down in front of the machine and have fun Security always has holes -- always!!! I think the point we've all managed to illustrate is that CF is not a security risk in and of itself. CF, .NET, PHP... installations are all just as easily easily left insecure by bad practices and with relatively equivalent ease can be made just about equally secure. --Ferg. Thomas Chiverton wrote: On Friday 07 October 2005 15:08, Mark A Kruger wrote: so you can even call him directly and ask him whatever you want to know about his server ;-)) He will, of course, be well trained in counter-social engineering and work for a company with well defined and enforced information security policies, and immediately demand to know who you are, where you got the number and when would be a good time to call back. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220356 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
-Original Message- From: Adkins, Randy [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 9:09 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices Anyone can get the IP Address of the server, simply ping the domain name. That's only true if it's configured like that. In many enterprise environments public servers are only accessed via appliances (load balancers, site selectors, etc). These appliances allow ping but the servers do not. For example ping: www.nefapps.nefn.com - you'll get the IP address (and name) of the load-balancer but not address the server itself (actually there are several servers but you get the point). The ping doesn't complete because the ping port is firewall-blocked: you get the DNS lookup but never actually get to the server. Regardless CF is completely securable (at least as much as anything else in its class). But it does take some knowledge - which is why so many CF sites are insecure. MM could address at install (or later) with a lockdown script of sorts which would place a dummy server-wide error handler, disable debugging and error output, eliminate the sample code and so forth. In fact WE could do that as a community using the administrator API... a script which could be run to set secure CF admin settings (debugging, RDS, error handling, etc), check for security related patches and so forth. Another good idea I'll never do anything with. ;^) Jim Davis ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220365 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
I heard a challenge from a security consultant that if you are using ColdFusion you do not have a secure server. I'm going to disagree with everyone else here and say, your consultant is absolutely right. If you run a public ColdFusion server, it accepts requests from literally anyone, and runs programs upon request! And, of course, those programs - the CFM files you write - may well have security flaws. And, if you're running ColdFusion, you're probably also running a web server, and we all know how insecure they can be. In summary, public servers aren't secure, in any absolute sense. They may be more secure or less secure than other servers, but that's about it. However, your consultant could have been a little more accurate by saying, if you are using a server on a public network you do not have a secure server. So, he's right for the wrong reasons, and therefore doesn't really deserve any credit for being right. You should probably avoid his advice. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220468 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: ColdFusion Security Holes - Best Practices
Secondly, this security _expert_ is no expert. Any expert wouldn't make such blanket statements like CF is less secure. In fact, in comparison .NET is a lot less secure than CF due to its deep ties with the operating system. I have to take issue with this a bit. A default installation of CFMX on Windows runs as SYSTEM, so if I can compromise it I can do pretty much whatever I like. In ASP.NET, there are a lot of things that factor into security; it doesn't really have deep ties with the operating system in the way that unmanaged code does. The ISS guys have a really good overview of ASP.NET security: http://documents.iss.net/whitepapers/asp_net_whitepaper.pdf Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220469 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54