I've actually had to have a little chat with a security consultant recently about ColdFusion as well. He really knows what he's doing in a lot of areas, and he does occasionally do CF security, but he's never worked on a version higher than 4.5. When I told the guy that CF is now a J2EE app he was shocked and suddenly had to re-evaluate his blanket statement that CF is in itself a security risk. Anything that you have installed on a server is technically a security risk but you have to take that risk if you want the server to actually do something.
That said, this guy's example of why cf is a secirity risk is really dumb. Under typical circumstances the IP address is already available. If your app is really high security and uses a load balancer, then this could be a problem. Maybe. Knowledge of the IP address is only a serious security risk if there is a security hole that can only be reached by IP address. An IP address alone is not a problem. On 10/7/05, David Livingston <[EMAIL PROTECTED]> wrote: > One of the first tactics a "hacker" typically uses is to gather as > much information about the system they are going to attack as > possible. If the server is running CF, causing an error can reveal > all sorts of juicy details that aren't directly dangerous. Put > together with a few bits of other information though, they could > reveal a possible attack. One strategy that most security firms/books > employ is to limit your information exposure as much as possible. The > less someone knows about your systems the better. That is probably > what the consultant was getting at, is that it gave away too much > info too easily. THis is easily fixed by adding a sitewide error > handler in the CF administrator and just putting up html instead of > all of the debug info. What I do is set the error page to only show > debug info if it comes from the office IP address. Not a perfect > solution but certainly better than just showing everything. > > If you are interested in past CF security issues you can do a search > for coldfusion at securityfocus.com. > > http://securityfocus.com/swsearch?sbm=% > 2F&metaname=alldoc&query=coldfusion&x=0&y=0 > > My opinion (for what its worth) is that Macromedia, and Allaire > before that, have done a good job of writing a secure web scripting > product and addressing issues when they are presented. Php seems to > do a good job as well. As for others I can't speak to because I have > limited experience with them. I have been burned by Microsoft too > many times to trust them so I typically shy away from ASP or .Net. I > would like to take this opportunity to thank Macromedia for adding > linux to their supported OS's. :) > > For anyone looking for more info on security I would recommend > Ultimate Hackin and Ultimate Web Hacking by foundstone. > > http://foundstone.com/ > > Dave > > > On Oct 7, 2005, at 7:50 AM, [EMAIL PROTECTED] wrote: > > > I heard a challenge from a security consultant that "if you are > > using ColdFusion you do not have a secure server." He maintains > > that CF is full of things a hacker can access. For example he gave > > the following example. If you attempt to open a CF website with > > the following command it will generate an error message that gives > > you the IP address of the CF server: > > > > sitename.org/*.cfm > > > > I tried this on a wide variety of sites and found that most CF > > sites return the error with the IP address. Some, however appear > > to trap this error somehow. > > > > What should be done on a CF server to prevent that type of error > > exposing the IP address of a CF server? > > > > This error is occuring prior to the execution of an application.cfm > > file in the host root directory so you cannot programatically trap it. > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:10:5581 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/10 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:10 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.10 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
