Re: Security Question(s)
On Mon, Nov 19, 2012 at 1:48 PM, Jamie Bowers wrote: > Somewhat related, how do I determine that any hot-fix or security patch I > may download and install is indeed installed? > Jamie, one thing I'd like to point out is that if your are using CF7 then you have unpatched vulnerabilities on the server, CF7 has been End of Life for a while and has not received any security updates in a couple years - so even if your code is secured your server platform is likely not. You will also need to make sure your JVM is patched, which again might be a challenge since CF7 doesn't run on Java 1.6 (without appropriate JVM patches an attacker can simply send a magic number to your server and cause it to hang, among other possibilities). To answer your question here about how do you know what patches are installed: I created a service http://hackmycf.com specifically for that reason - you can scan your domain for free but we also offer paid services that can find more details. You can also try using the ColdFusion administrator to see what the update level is but that is not a great solution, see http://www.carehart.org/blog/client/index.cfm/2012/6/18/what_hotfixes_have_been_applied for more info. Finally I also wanted to point out that XmlFormat is not a stopgap for XSS either, for example if you have this: var id = #XmlFormat(url.id)#; You are not at all protected from XSS - so XSS protection really depends on where the variable is output, it could be in a tag, javascript, css, a url, a tag attribute, all have their own encoding rules that must be applied to properly prevent the attack. Hope that helps. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353266 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Security Question(s)
> > And using the cfparam tags will help stop these type of attacks? > > They can, but more importantly you have to either: > - not use values from the browser directly within functions, etc > - or, identify the range of acceptable values for these, and filter > accordingly. > > > Is there a good cold fusion security premier online about these > kinds of things somewhere? > > I'd start with the CF 9 Lockdown Guide - while it doesn't really talk > about secure programming specifically, it does give you an idea of > the > range and functionality of vulnerabilities. That is really well > written, and I think every CF developer and server administrator > should read it. > > Beyond that, Jason Dean's site, http://www.12robots.com/, has a lot > of > security info that's specific to CF. > > There's also the OWASP CF resources page: > > https://www.owasp.org/index.php/ColdFusion_Security_Resources > > Finally, though, I would recommend that you not limit yourself to > CF-specific resources. There are lots of general resources out there, > and it's very easy to draw the conclusions you need from them. > > > By the way Figleaf is where I took my ColdFusion training way back > when CF3 was the latest and greatest. > > That was a long time ago! > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. Somewhat related, how do I determine that any hot-fix or security patch I may download and install is indeed installed? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353251 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Security Question(s)
> And using the cfparam tags will help stop these type of attacks? They can, but more importantly you have to either: - not use values from the browser directly within functions, etc - or, identify the range of acceptable values for these, and filter accordingly. > Is there a good cold fusion security premier online about these kinds of > things somewhere? I'd start with the CF 9 Lockdown Guide - while it doesn't really talk about secure programming specifically, it does give you an idea of the range and functionality of vulnerabilities. That is really well written, and I think every CF developer and server administrator should read it. Beyond that, Jason Dean's site, http://www.12robots.com/, has a lot of security info that's specific to CF. There's also the OWASP CF resources page: https://www.owasp.org/index.php/ColdFusion_Security_Resources Finally, though, I would recommend that you not limit yourself to CF-specific resources. There are lots of general resources out there, and it's very easy to draw the conclusions you need from them. > By the way Figleaf is where I took my ColdFusion training way back when CF3 > was the latest and greatest. That was a long time ago! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353212 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Security Question(s)
Yes there are resources online regarding this type of thing, did you check the links I sent you in my previous reply. On Fri, Nov 16, 2012 at 4:50 PM, Jamie Bowers wrote: > > > > I haven't done Coldfusion since CF4, however recently have been > > tasked to look at a CF7MX appilication that has 3 security > > > issues they are looking to fix. > > > > > > 1. Cross Site Scripting - I believe I have this one figured out > > using the Admin Pannel's "Enable global script protection" > > > 2. Format String Injection > > > 3. Parameter Based Buffer Overflow > > > > > > I have been able to find generalized information on the other two > > issues, but nothing as it relates to CF itself. Will the "Enable > > > global script protection" fix these other two as well or should I be > > looking elsewhere? Everything I am finding has to do with SQL > > > injection and not Format String Injection, and I'm finding nothing > > on Parameter Based Buffer Overflow. > > > > First, no, enabling global script protection will not fix all three > > issues. In fact, it's not guaranteed to fix XSS issues; although it > > may block many XSS attacks, it doesn't prevent XSS attacks generally, > > it just filters data for known XSS attack strings. > > > > XSS attacks occur when an attacker can send client-side executable > > code (typically JavaScript, but it could be anything else that an > > HTML > > page can tell a local computer to do) to your server, and your server > > stores that and later delivers it to other users. The attack isn't > > really targeting the server specifically, but rather those other > > users. > > > > The other two things are attacks on your server, and are basically > > similar to SQL injection: the attacker sends a value that your code > > takes and passes directly to a function. XSS filtering has nothing to > > do with them. For example, let's say you have a line of code like > > this: > > > > > > > > An attacker could inject a value there, because you're taking data > > directly from the browser and using it to do something. Now, that > > specific attack wouldn't be very helpful to an attacker in most cases, > > > > but it shows you what I mean, I guess. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > And using the cfparam tags will help stop these type of attacks? > > Is there a good cold fusion security premier online about these kinds of > things somewhere? > > By the way Figleaf is where I took my ColdFusion training way back when > CF3 was the latest and greatest. > > Jamie > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353210 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Security Question(s)
> > I haven't done Coldfusion since CF4, however recently have been > tasked to look at a CF7MX appilication that has 3 security > > issues they are looking to fix. > > > > 1. Cross Site Scripting - I believe I have this one figured out > using the Admin Pannel's "Enable global script protection" > > 2. Format String Injection > > 3. Parameter Based Buffer Overflow > > > > I have been able to find generalized information on the other two > issues, but nothing as it relates to CF itself. Will the "Enable > > global script protection" fix these other two as well or should I be > looking elsewhere? Everything I am finding has to do with SQL > > injection and not Format String Injection, and I'm finding nothing > on Parameter Based Buffer Overflow. > > First, no, enabling global script protection will not fix all three > issues. In fact, it's not guaranteed to fix XSS issues; although it > may block many XSS attacks, it doesn't prevent XSS attacks generally, > it just filters data for known XSS attack strings. > > XSS attacks occur when an attacker can send client-side executable > code (typically JavaScript, but it could be anything else that an > HTML > page can tell a local computer to do) to your server, and your server > stores that and later delivers it to other users. The attack isn't > really targeting the server specifically, but rather those other > users. > > The other two things are attacks on your server, and are basically > similar to SQL injection: the attacker sends a value that your code > takes and passes directly to a function. XSS filtering has nothing to > do with them. For example, let's say you have a line of code like > this: > > > > An attacker could inject a value there, because you're taking data > directly from the browser and using it to do something. Now, that > specific attack wouldn't be very helpful to an attacker in most cases, > > but it shows you what I mean, I guess. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. And using the cfparam tags will help stop these type of attacks? Is there a good cold fusion security premier online about these kinds of things somewhere? By the way Figleaf is where I took my ColdFusion training way back when CF3 was the latest and greatest. Jamie ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Security Question(s)
> I haven't done Coldfusion since CF4, however recently have been tasked to > look at a CF7MX appilication that has 3 security > issues they are looking to fix. > > 1. Cross Site Scripting - I believe I have this one figured out using the > Admin Pannel's "Enable global script protection" > 2. Format String Injection > 3. Parameter Based Buffer Overflow > > I have been able to find generalized information on the other two issues, but > nothing as it relates to CF itself. Will the "Enable > global script protection" fix these other two as well or should I be looking > elsewhere? Everything I am finding has to do with SQL > injection and not Format String Injection, and I'm finding nothing on > Parameter Based Buffer Overflow. First, no, enabling global script protection will not fix all three issues. In fact, it's not guaranteed to fix XSS issues; although it may block many XSS attacks, it doesn't prevent XSS attacks generally, it just filters data for known XSS attack strings. XSS attacks occur when an attacker can send client-side executable code (typically JavaScript, but it could be anything else that an HTML page can tell a local computer to do) to your server, and your server stores that and later delivers it to other users. The attack isn't really targeting the server specifically, but rather those other users. The other two things are attacks on your server, and are basically similar to SQL injection: the attacker sends a value that your code takes and passes directly to a function. XSS filtering has nothing to do with them. For example, let's say you have a line of code like this: An attacker could inject a value there, because you're taking data directly from the browser and using it to do something. Now, that specific attack wouldn't be very helpful to an attacker in most cases, but it shows you what I mean, I guess. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353198 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Security Question(s)
>First thing is you will want o wrap all of your query variables with a >cfqueryparam tag. I also wrap them with the XMLFormat() function as that >will render strings non-executable. For example... > >Select x,y,z >From tablename >Where xx=value="#XMLFormat(variable.xxddrr)"> > >There are also other attributes to tighten it down further like if it is >allowed to ne null, or a list, etc... > >The other big thing is to make sure your variables are scoped. This makes >it so that you know exactly where it is coming from and prevents overriding >from a source that s higher up in the order of operations. Local vars get >the variables scope. Then ther is URL, form, application, session, etc... > > >This will cover cross site scripting and SQL injection. > > >Three Ravens Consulting >Eric Roberts >Owner/Developer >ow...@threeravensconsulting.com >tel: 630-486-5255 >fax: 630-310-8531 >http://www.threeravensconsulting.com > > >I haven't done Coldfusion since CF4, however recently have been tasked to >look at a CF7MX appilication that has 3 security issues they are looking to >fix. > >1. Cross Site Scripting - I believe I have this one figured out using the >Admin Pannel's "Enable global script protection" >2. Format String Injection >3. Parameter Based Buffer Overflow > >I have been able to find generalized information on the other two issues, >but nothing as it relates to CF itself. Will the "Enable global script >protection" fix these other two as well or should I be looking elsewhere? >Everything I am finding has to do with SQL injection and not Format String >Injection, and I'm finding nothing on Parameter Based Buffer Overflow. > >Any help anyone could provide would be great. > >Thanks, >Jamie Thanks. I know to use the cfparam and cfqueryparam tags to prevent sql injection and xss, will this also prevent these other two errors I listed? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353197 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Security Question(s)
First thing is you will want o wrap all of your query variables with a cfqueryparam tag. I also wrap them with the XMLFormat() function as that will render strings non-executable. For example... Select x,y,z >From tablename Where xx= There are also other attributes to tighten it down further like if it is allowed to ne null, or a list, etc... The other big thing is to make sure your variables are scoped. This makes it so that you know exactly where it is coming from and prevents overriding from a source that s higher up in the order of operations. Local vars get the variables scope. Then ther is URL, form, application, session, etc... This will cover cross site scripting and SQL injection. Three Ravens Consulting Eric Roberts Owner/Developer ow...@threeravensconsulting.com tel: 630-486-5255 fax: 630-310-8531 http://www.threeravensconsulting.com -Original Message- From: Jamie Bowers [mailto:jamiembow...@netscape.net] Sent: Thursday, November 15, 2012 10:55 AM To: cf-talk Subject: Security Question(s) I haven't done Coldfusion since CF4, however recently have been tasked to look at a CF7MX appilication that has 3 security issues they are looking to fix. 1. Cross Site Scripting - I believe I have this one figured out using the Admin Pannel's "Enable global script protection" 2. Format String Injection 3. Parameter Based Buffer Overflow I have been able to find generalized information on the other two issues, but nothing as it relates to CF itself. Will the "Enable global script protection" fix these other two as well or should I be looking elsewhere? Everything I am finding has to do with SQL injection and not Format String Injection, and I'm finding nothing on Parameter Based Buffer Overflow. Any help anyone could provide would be great. Thanks, Jamie ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353183 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Security Question(s)
relying on "enable script protection" is like closing your front door and thinking you can't get burgled. It may stop the casual opportunist who sees your door open and decides to rob you, but a professional burglar wont walk in via the front door anyway, he will find another way in. In the same way global script protect only blocks the really basic most common attacks, it will do nothing for anything more sophisticated. This is not a topic specific to ColdFusion, you need to research the topic in general, it applies to all platforms. You can find many CF specific article son Google though. https://www.google.co.uk/search?q=how+to+secure+your+coldfusion+application&oq=how+to+secure+your+coldfusion+application&aqs=chrome.0.57.7359&sugexp=chrome,mod=15&sourceid=chrome&ie=UTF-8 I would suggest taking a look here for any recorded meetups on the topic http://www.meetup.com/coldfusionmeetup/ The quick and simple solution would probably be to use Fuseguard. http://foundeo.com/security/ On Thu, Nov 15, 2012 at 4:55 PM, Jamie Bowers wrote: > > I haven't done Coldfusion since CF4, however recently have been tasked to > look at a CF7MX appilication that has 3 security issues they are looking to > fix. > > 1. Cross Site Scripting - I believe I have this one figured out using the > Admin Pannel's "Enable global script protection" > 2. Format String Injection > 3. Parameter Based Buffer Overflow > > I have been able to find generalized information on the other two issues, > but nothing as it relates to CF itself. Will the "Enable global script > protection" fix these other two as well or should I be looking elsewhere? > Everything I am finding has to do with SQL injection and not Format String > Injection, and I'm finding nothing on Parameter Based Buffer Overflow. > > Any help anyone could provide would be great. > > Thanks, > Jamie > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353182 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Security Question(s)
I haven't done Coldfusion since CF4, however recently have been tasked to look at a CF7MX appilication that has 3 security issues they are looking to fix. 1. Cross Site Scripting - I believe I have this one figured out using the Admin Pannel's "Enable global script protection" 2. Format String Injection 3. Parameter Based Buffer Overflow I have been able to find generalized information on the other two issues, but nothing as it relates to CF itself. Will the "Enable global script protection" fix these other two as well or should I be looking elsewhere? Everything I am finding has to do with SQL injection and not Format String Injection, and I'm finding nothing on Parameter Based Buffer Overflow. Any help anyone could provide would be great. Thanks, Jamie ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353180 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm