10 Ideas to Improve Security in ColdFusion 10

June 18, 2010

I do a lot of work related to security in ColdFusion and I've been keeping a list of ideas and features that could make a future version of ColdFusion more secure. Here's 10 ideas in no particular order:

Add an allowedextensions attribute to cffile for action=upload and deprecate the accept attribute - The accept attribute is useless as far as security goes since the mime types come from the client, you can easily spoof this (example). This new attribute would simply be a list of file extensions that you allow to be uploaded, eg "jpg,png,gif,jpeg".
Ask for a Windows Username to run ColdFusion services as during installation - The ColdFusion installer already does this on a unix install, but not windows. This should setup permissions on the ColdFusion installation directory.
Update Documentation and verbage related to ScriptProtect so people don't think it completely protects you from XSS - It's a very weak protection, yet alot of people think it fully protects them. I think this is due to how it is worded in the CF Administrator and documentation.
Add Application.cfc variables and CF Administrator settings to specify httpOnly, secure, domain for session cookies (CFID, CFTOKEN, jsessionid)
Allow administrators to change the root ColdFusion Administrator username to something other than admin - Admin is always the default super user for ColdFusion administrator, it would be nice if you could specify an arbitrary username instead.
Create an audit log for ColdFusion administrator changes.
Improve ScriptProtect - I know this feature will always be insufficient, but alot of people use it. It could be improved quite a bit, it should at least block iframe tags!
Remove the possibility of CRLF injection - Any tag that outputs headers (for example cfheader, cfcontent, cfmail (subject attribute, or cfmailparam)) should strip the CRLF characters, so you can't inject new headers. Please vote for bug 83739
Make addtoken=false default for cflocation - Whenever you do a cflocation it puts the session id's in the url query string. Users don't know that if they copy and paste the link somewhere it allows whoever visits the link to be logged in as them.
Linux Installation scripts should detect SELinux and be able to install on SELinux. - You can still run ColdFusion on SELinux but it takes some configuration. (I provided some instructions in the ColdFusion 9 Lockdown Guide that I wrote)

If you like any of these ideas you can add them to this survey for ColdFusion 10, and feel free to post some more ideas in the comments!

Permalink | Add Comment |

add to del.icio.us | Tags: security, coldfusion, cfml

Related Entries

Client Variable Cookie CFGLOBALS Includes Session Ids - July 14, 2011
Maximum Security CFML - cfObjective Slides - May 17, 2011
Writing Secure CFML Slides from CFUnited 2010 - August 5, 2010
Hands on ColdFusion Security Training - February 4, 2010
Mastering CFQUERYPARAM - July 24, 2008

This entry was:

Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 755/CC218E16A8D1950602DF817CA741A3B2

Coldfusion 9 Umfrage www.coldfusion-blog.de

Comments

On 06/19/2010 at 2:15:48 AM EDT Hemant wrote:

I think #5 is already available in CF. Check http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WSc3ff6d0ea77859461172e0811cbf364104-7ff4.html#WSc3ff6d0ea77859461172e0811cbf3638e6-7fc6

On 06/19/2010 at 11:11:29 PM EDT Mike Sewell wrote:

I have run into at LEAST 7/10 of these issues in the last 4 months. The biggest being the illusion of security from using scriptprotect.

On 06/28/2010 at 8:01:51 PM EDT Dominic O'Connor wrote:

RE:#7 I agree that iframe should be blocked out of the box, but it's worth mentioning that scriptProtect can be extended in the cfusion/lib/neo-security.xml file. Jason Dean has a comprehensive blog post about it here http://www.12robots.com/index.cfm/2008/9/9/Enhancing-ColdFusion-Script-Protection--Security-Series-10.

Amen on #9. Probably unlikely, though. The CF team takes backwards compatibility pretty seriously, and changing that would break any sites that rely on URL tokens.

On 07/13/2010 at 2:55:12 PM EDT Sami Hoda wrote:

CF 9.0.1 (released today) has a minor security enhancement. Read more @ http://www.bytestopshere.com/post.cfm/security-enhancement-in-cf-9-0-1.

On 07/15/2010 at 9:32:31 PM EDT Brandon Moser wrote:

@Dominic, if the CF team doesn't want to break backwards compatibility, couldn't a simple checkbox option suffice for the default. I haven't used the "addtokens='true'" on any cflocation in the 10 years of CF development. No cookies, no continue.

On 10/08/2010 at 11:11:54 AM EDT Dallas wrote: