One of the first tactics a "hacker" typically uses is to gather as much information about the system they are going to attack as possible. If the server is running CF, causing an error can reveal all sorts of juicy details that aren't directly dangerous. Put together with a few bits of other information though, they could reveal a possible attack. One strategy that most security firms/books employ is to limit your information exposure as much as possible. The less someone knows about your systems the better. That is probably what the consultant was getting at, is that it gave away too much info too easily. THis is easily fixed by adding a sitewide error handler in the CF administrator and just putting up html instead of all of the debug info. What I do is set the error page to only show debug info if it comes from the office IP address. Not a perfect solution but certainly better than just showing everything.
If you are interested in past CF security issues you can do a search for coldfusion at securityfocus.com. http://securityfocus.com/swsearch?sbm=% 2F&metaname=alldoc&query=coldfusion&x=0&y=0 My opinion (for what its worth) is that Macromedia, and Allaire before that, have done a good job of writing a secure web scripting product and addressing issues when they are presented. Php seems to do a good job as well. As for others I can't speak to because I have limited experience with them. I have been burned by Microsoft too many times to trust them so I typically shy away from ASP or .Net. I would like to take this opportunity to thank Macromedia for adding linux to their supported OS's. :) For anyone looking for more info on security I would recommend Ultimate Hackin and Ultimate Web Hacking by foundstone. http://foundstone.com/ Dave On Oct 7, 2005, at 7:50 AM, [EMAIL PROTECTED] wrote: > I heard a challenge from a security consultant that "if you are > using ColdFusion you do not have a secure server." He maintains > that CF is full of things a hacker can access. For example he gave > the following example. If you attempt to open a CF website with > the following command it will generate an error message that gives > you the IP address of the CF server: > > sitename.org/*.cfm > > I tried this on a wide variety of sites and found that most CF > sites return the error with the IP address. Some, however appear > to trap this error somehow. > > What should be done on a CF server to prevent that type of error > exposing the IP address of a CF server? > > This error is occuring prior to the execution of an application.cfm > file in the host root directory so you cannot programatically trap it. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:10:5580 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/10 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:10 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.10 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
