Well. Like this other security consultant, yours is an amateur. You cannot make statements that ColdFusion (or any application for that server) is insecure without proper justification.
Only worked on 4.5? Erm, it's 2005! 4.5 is more than 6 or 7 years old - glad to see this consultant is up to date on all this technology, maybe he still does network security audits for Windows 3.1. "This e-mail is from Reed Exhibitions (Oriel House, 26 The Quadrant, Richmond, Surrey, TW9 1DL, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions." Visit our website at http://www.reedexpo.com -----Original Message----- From: Jennifer Larkin <[EMAIL PROTECTED]> To: CF-Server <[email protected]> Sent: Fri Oct 07 21:28:35 2005 Subject: Re: ColdFusion Security Holes - Best Practices I've actually had to have a little chat with a security consultant recently about ColdFusion as well. He really knows what he's doing in a lot of areas, and he does occasionally do CF security, but he's never worked on a version higher than 4.5. When I told the guy that CF is now a J2EE app he was shocked and suddenly had to re-evaluate his blanket statement that CF is in itself a security risk. Anything that you have installed on a server is technically a security risk but you have to take that risk if you want the server to actually do something. That said, this guy's example of why cf is a secirity risk is really dumb. Under typical circumstances the IP address is already available. If your app is really high security and uses a load balancer, then this could be a problem. Maybe. Knowledge of the IP address is only a serious security risk if there is a security hole that can only be reached by IP address. An IP address alone is not a problem. On 10/7/05, David Livingston <[EMAIL PROTECTED]> wrote: > One of the first tactics a "hacker" typically uses is to gather as > much information about the system they are going to attack as > possible. If the server is running CF, causing an error can reveal > all sorts of juicy details that aren't directly dangerous. Put > together with a few bits of other information though, they could > reveal a possible attack. One strategy that most security firms/books > employ is to limit your information exposure as much as possible. The > less someone knows about your systems the better. That is probably > what the consultant was getting at, is that it gave away too much > info too easily. THis is easily fixed by adding a sitewide error > handler in the CF administrator and just putting up html instead of > all of the debug info. What I do is set the error page to only show > debug info if it comes from the office IP address. Not a perfect > solution but certainly better than just showing everything. > > If you are interested in past CF security issues you can do a search > for coldfusion at securityfocus.com. > > http://securityfocus.com/swsearch?sbm=% > 2F&metaname=alldoc&query=coldfusion&x=0&y=0 > > My opinion (for what its worth) is that Macromedia, and Allaire > before that, have done a good job of writing a secure web scripting > product and addressing issues when they are presented. Php seems to > do a good job as well. As for others I can't speak to because I have > limited experience with them. I have been burned by Microsoft too > many times to trust them so I typically shy away from ASP or .Net. I > would like to take this opportunity to thank Macromedia for adding > linux to their supported OS's. :) > > For anyone looking for more info on security I would recommend > Ultimate Hackin and Ultimate Web Hacking by foundstone. > > http://foundstone.com/ > > Dave > > > On Oct 7, 2005, at 7:50 AM, [EMAIL PROTECTED] wrote: > > > I heard a challenge from a security consultant that "if you are > > using ColdFusion you do not have a secure server." He maintains > > that CF is full of things a hacker can access. For example he gave > > the following example. If you attempt to open a CF website with > > the following command it will generate an error message that gives > > you the IP address of the CF server: > > > > sitename.org/*.cfm > > > > I tried this on a wide variety of sites and found that most CF > > sites return the error with the IP address. Some, however appear > > to trap this error somehow. > > > > What should be done on a CF server to prevent that type of error > > exposing the IP address of a CF server? > > > > This error is occuring prior to the execution of an application.cfm > > file in the host root directory so you cannot programatically trap it. > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how to get a fax number that sends and receives faxes using your current email address http://www.houseoffusion.com/banners/view.cfm?bannerid=64 Message: http://www.houseoffusion.com/lists.cfm/link=i:10:5585 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/10 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:10 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.10 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
