Re: CF10 lockdown question
Hi Larry, There has been a LOT of attacks targeting ColdFusion lately, it's time for us all to step up our security practices. There is a lot you can do to harden your server installation, and your application code beyond what you have mentioned. Security is one of those things that you can never say ok, everything is secure I can check that off my list and move on, it is a constant ongoing thing you need to always be working on. Some things to get started: 1) Follow the CF10 lockdown guide: https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf 2) If you can remove your need for /CFIDE this can make lockdown easier because you can just block it 3) Another very important thing to check besides that your queries have been cfqueryparamed is to check all your file operations for vulnerabilities. Here are some tips for file uploads: http://www.petefreitag.com/item/701.cfm you should also make check any file operation that uses variables that can be tainted by the requester, for example cfinclude template=static/#url.path#.html could be used to download any file CF has access to (not just html files). 4) Leverage some of the new session functions in CF10 like SessionRotate (after a successful login), SessionInvalidate (on logout). 5) Employ redundant layers of security (defense in depth), for example using a web application firewall, such as the one my company makes http://fuseguard.com/ there are other ones that are non specific to CF as well. 6) Use security monitoring and scanning tools, such as a PCI scanner, and http://hackmycf.com/ (note HackMyCF is not a PCI scanner, you should still use a PCI scanner in addition to HackMyCF, which is highly CF specific). 7) I could go on and on, so go and register for cf.Objective() where you can hear a several presentations on CF security given by David Epler, Phil Duba, Bilal Soylu, and myself: http://www.cfobjective.com/sessions/ you can find some of my past presentations here: http://www.petefreitag.com/tag/security which also give a lot more detail than we can get into on this thread. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Tue, Mar 5, 2013 at 9:03 AM, Stephens, Larry V steph...@iu.edu wrote: Our webserver utilizing CF8 was hacked. We're not sure how (in what manner), at least at this point, but I am in the process of moving all CF stuff to a new server using CF10. I am checking all #variables# used in queries to be sure cfqueryparam is used. We are moving everything from MS Access to SQL Server. I am shedding all cfajaximport's and using jQuery ajax calls. While I don't *think* this is security related, I am also eliminating all cfform's (but, see below). Q1: By eliminating cfajaximport does the public need access to CFIDE or can I lock that down to my access, only? I recall having an issue with validation in cfform that had to do with not finding CFIDE (but I'm eliminating that issue). Q2: As far as CF goes, anything we're missing? Thanks. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354854 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF10 lockdown question
+1 to FuseGuard. Implemented this on a site this a *lot* of SQL injection issues. No firewall or similar product is a substitute for well-written code, but putting this in place stopped the hemorrhaging overnight. +1 to HackMyCF as well. Use this on the main site I support, and I'm very happy with weekly updates (not only tells you what the problem is, but links to how to fix it) No, Pete isn't paying me to say this. :-) Billy Cravens bdcrav...@gmail.com 5) Employ redundant layers of security (defense in depth), for example using a web application firewall, such as the one my company makes http://fuseguard.com/ there are other ones that are non specific to CF as well. 6) Use security monitoring and scanning tools, such as a PCI scanner, and http://hackmycf.com/ (note HackMyCF is not a PCI scanner, you should still use a PCI scanner in addition to HackMyCF, which is highly CF specific). ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354856 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF10 lockdown question
if you have the master CFIDE open to the public and have not locked that down as per the last security alert and hotfix, then that was no doubt the cause of your hack. Obviously there is no hotfix for CF8 as it is EOL, but you should at least follow the lockdown guides that were published RE CFIDE and ADMINAPI. On Tue, Mar 5, 2013 at 2:03 PM, Stephens, Larry V steph...@iu.edu wrote: Our webserver utilizing CF8 was hacked. We're not sure how (in what manner), at least at this point, but I am in the process of moving all CF stuff to a new server using CF10. I am checking all #variables# used in queries to be sure cfqueryparam is used. We are moving everything from MS Access to SQL Server. I am shedding all cfajaximport's and using jQuery ajax calls. While I don't *think* this is security related, I am also eliminating all cfform's (but, see below). Q1: By eliminating cfajaximport does the public need access to CFIDE or can I lock that down to my access, only? I recall having an issue with validation in cfform that had to do with not finding CFIDE (but I'm eliminating that issue). Q2: As far as CF goes, anything we're missing? Thanks. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354814 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF10 lockdown question
FYI, our recent break-in was through the fckeditor bug that we didn't have patched. Look for a directory called Userfiles ... We migrated to a whole new server rather than upgrading :) There is no need to eliminate cfajaximport and cfform and other such things, just set up a virtual directory pointing to the /cfide/scripts folder and call it something (maybe /cfscripts/ or /cf_scripts/ or /wackamole/ - whatever). Then set that up in your coldfusion administrator, and all the cfforms and cfajaximports and whatnot all still work just fine. The lockdown guide goes into detail about this. Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354830 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm