On 10/7/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I heard a challenge from a security consultant that "if you are using > ColdFusion you do not have a secure server." He maintains that CF is full of > things a hacker can access. For example he gave the following example. If > you attempt to open a CF website with the following command it will generate > an error message that gives you the IP address of the CF server: > > sitename.org/*.cfm > > I tried this on a wide variety of sites and found that most CF sites return > the error with the IP address. Some, however appear to trap this error > somehow.
On Apache 2 (Win or *nix) with MX7 it does not return an IP. On IIS4 (WinNT4.5) with CF4.5 it does not return an IP. I'm guessing you're looking at sites the either a) have debugging turned on b) don't have (site-wide/missing template) error handlers c) both of the above > What should be done on a CF server to prevent that type of error exposing the > IP address of a CF server? Umm, you and your "security consultant" both realize that if it's a publically accessible ColdFusion server (e.g. a box running web server and cf that allows http traffic to it) that it's IP address is *always* exposed. You know, through DNS -- the thing that makes the Internet work. > This error is occuring prior to the execution of an application.cfm file in > the host root directory so you cannot programatically trap it. Sure you can. You've got a whole layer of application you can work with -- the web server. Especially on Apache (which I know far better) you can control the behavior of error pages with fine grained control to look like whatever you want. You can filter using mod_rewrite or equiv. You can use one of the security adaptors for Apache. There are tons of possiblities Plus on CFMX you have the capability of using servlet filters to preprocess (or postprocess) requests to filter/change/modify anything you want. Good security consultants do not make absolute claims like the one your "security consultant" did. ColdFusion can be hacked like any other application -- but outside of things like cross-site scripting and sql injection, you're not likely to have your *server* compromised by CF problems (now your *application* can be hacked, but that's different). Web server cracks let's folks take over your server -- and then launch further attacks on the rest of your network. There are some scenarios that let CFMX cause real problems (eg arbitrary file upload) but those are security vulnerabilities from programming errors and are possible in most languages, not just CF. You may wish to take a look at http://www.owasp.org, the Open Web Application Security Project, which has a lot of resources for security your web applications. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220315 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
