cfcache security issue?
Hi cfers, We are considering implementing cfcache on our busy site (CF8), but as I understand it, CFMX creates a page on disk for every unique set of URL variables. So what stops a malicious attacker performing an attack where they just flood a cached page with unique URLs? mycached.cfm?id=1 mycached.cfm?id=2 ... mycached.cfm?id= ... ? As I understand it, the machine would cache templates to disk indefinitely. If the cached page is anything significant, it could quickly fill up the disk, crashing the server, causing memory problems as disk space decreases, and causing other significant disruptions. Or, the directory fills up with tens of thousands of files, causing all sorts of other performance issues. Is there any protection against this scenario? Any best practices with cfcache to prevent it? Is there an easy way to bound/limit the resources cfcache can use? Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335408 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfcache security issue?
Sorry, I should have been clearer -- we need to cache page contents to disk. If cfcache is fundamentally limited and open to such attacks, can anyone suggest an efficient and robust page-caching tag that we can use with CF8? Thanks From: Brian Kotek brian...@gmail.com To: cf-talk cf-talk@houseoffusion.com Sent: Fri, July 16, 2010 9:34:28 AM Subject: Re: cfcache security issue? Use action=clientcache? On Fri, Jul 16, 2010 at 12:11 PM, Spencer K spencer.4...@yahoo.com wrote: Hi cfers, We are considering implementing cfcache on our busy site (CF8), but as I understand it, CFMX creates a page on disk for every unique set of URL variables. So what stops a malicious attacker performing an attack where they just flood a cached page with unique URLs? mycached.cfm?id=1 mycached.cfm?id=2 ... mycached.cfm?id= ... ? As I understand it, the machine would cache templates to disk indefinitely. If the cached page is anything significant, it could quickly fill up the disk, crashing the server, causing memory problems as disk space decreases, and causing other significant disruptions. Or, the directory fills up with tens of thousands of files, causing all sorts of other performance issues. Is there any protection against this scenario? Any best practices with cfcache to prevent it? Is there an easy way to bound/limit the resources cfcache can use? Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335410 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
ScriptProtect error replacing insecure tag in scope CGI ??
Hi cftalk: We are running CF8. I am seeing a strange application error ScriptProtect error replacing insecure tag in scope CGI. The error occurred on line -1.. Strangely, there are very few google references to this error, and absolutely no explanations / solutions that I can find. We use ScriptProtect = ALL, and most of the time URL/FORM substitution works fine. It converts script to INVALIDTAG as expected, etc. However, we get this ScriptProtect error if we pass in the URL: http://www.SERVER.com/search.cfm?querystring=javascript:alert%28412898284482%29 Clearly this has nothing to do with the CGI scope, so I'm a little confused at why an error is being thrown. Our neo-security.xml file contains this bit, which deals with javascript: var name=javascript: stringjava-script:/string /var Thanks for any help! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334810 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF8: Script Protect just doesn't work
Hi, I am running CF8 and can't get script protect to work at all. In CFIDE I have Enable Global Script Protection checked. I also have the following at the top of my Application.cfc: cfset THIS.scriptprotect= ALL / Reboot. That should be enough to protect my app, right? However, it just doesn't work. I can pass in script tags and applet tags and they come through in forms and URLs untouched. Can anyone suggest what might be going on here to prevent my script protect from working? Thank you ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334475 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF8: Script Protect just doesn't work
Well I have narrowed the problem down significantly. It works just fine if I comment out the following lines in my Application.cfc : OnRequestStart: cfset setEncoding(form,ISO8859-1) cfset setEncoding(url,ISO8859-1) cfcontent type = text/html; charset ISO-8859-1 Does anyone have a clue how these are interfering with script protect working? Thanks Hi, I am running CF8 and can't get script protect to work at all. In CFIDE I have Enable Global Script Protection checked. I also have the following at the top of my Application.cfc: cfset THIS.scriptprotect= ALL / Reboot. That should be enough to protect my app, right? However, it just doesn't work. I can pass in script tags and applet tags and they come through in forms and URLs untouched. Can anyone suggest what might be going on here to prevent my script protect from working? Thank you ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334476 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
htaccess is denying CFINCLUDEs??
I have a bit of a puzzle here... I have a set of .cfm includes in /proj_includes To stop people accessing those includes directly, I have an .htaccess file that denies all. The main templates are in the root directory, and they include these templates like this: cfinclude template=/proj_includes/x.cfm What I'm seeing in my apache error log is an error message every time anyone loads that root template. It's saying client denied by server configuration: /proj_includes/x.cfm. That doesn't make sense to me though. CFINCLUDE is something that CF does internally by the file system, isn't it? How on earth is apache getting involved? How does it even KNOW that /proj_includes/x.cfm is being touched? Very confused any thoughts? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334495 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
