May 31, 2013
Firefox Aurora now Supports Content Security Policy 1.0
Today with the release of Mozilla Firefox Aurora 23, support for Content Security Policy or CSP using the unprefixed, W3C standard header Content-Security-Policy has landed. Firefox has had experimental support for CSP since FireFox 4, using the header X-Content-Security-Policy.
May 16, 2013
Writing Secure CFML cfObjective 2013 Slides
Here are the slides to my cf.Objective() 2013 presentation Writing Secure CFML, thanks to those who attended. Please stop by the Foundeo Inc. booth and say hi, if you are at the conference.I will be speaking on Locking Down ColdFusion tomorrow (Friday) at 10:10
April 05, 2013
J2EE Sessions in CF10 Uses Secure Cookies
This week I helped out a client resolve an issue due to a change in behavior from CF9 to CF10. CF10 automatically adds the secure flag to cookies when the request is over a secure HTTPS channel.
March 06, 2013
Learn about ColdFusion Security at cfObjective 2013
For the past two-three months ColdFusion has been increasingly targeted by attackers, as many have found out the hard way. Because my company Foundeo Inc.
March 01, 2013
Session Loss and Session Fixation in ColdFusion
I often find myself explaining how the session fixation security hotfix (APSB11-04) might cause session loss under certain circumstances, so I figured it was time for a blog entry explaining it.
August 01, 2012
Understanding HashDos and postParameterLimit
I received a question today about the postParameterLimit that was added to ColdFusion 8,9 by security hotfix APSB12-06 and exists in ColdFusion 10 by default (it is also configurable in the CF10 administrator).
June 07, 2012
ColdFusion 10 Security Enhancements Presentation
I've given a couple presentations now on the security enhancements in ColdFusion 10. The most recent was today at the Adobe ColdFusion Developer 2012, but I've also given it two other times for a Carahsoft webinar, and for the Carahsoft ColdFusion 10 Preview event in Washington DC.
March 16, 2012
Setup ColdFusion 9.0.1 Fully Patched
Adobe this week released a security hotfix for the HashDos vulnerability for ColdFusion versions 8.0 through 9.0.1. Today I was setting up a new secure ColdFusion instance for a client, and I though I'd document the steps needed to go from ColdFusion 9.0 to ColdFusion 9.0.
December 31, 2011
HashDOS and ColdFusion
Earlier this week at the 28C3 security conference in Berlin researchers presented on a denial of service (DOS) technique that several web application platforms (PHP, ASP.NET, Node.js, Tomcat, Java's HashMap/Hashtable etc) are vulnerable to, known as hashdos.
December 15, 2011
HackMyCF Updated for APSB11-29 Security Hotfix
Adobe released a security hotfix APSB11-29 for ColdFusion 8 and 9 on Tuesday, which fixes two XSS (Cross Site Scripting) vulnerabilities (CVE-2011-2463 and CVE-2011-4368). One vulnerability exists in cfform and the other in RDS.
October 26, 2011
Adobe eSeminar on FuseGuard
Adobe has asked me to do an online e-seminar: Protecting ColdFusion Applications with FuseGuard thursday November 3rd at 10am PT / 1pm ET.If you're curious about FuseGuard and how it works please head over to Adobe.com and register now!
September 20, 2011
Determining Which Cumulative Hotfixes are Installed on ColdFusion
It's not always obvious which Cumulative hotfixes are installed on a ColdFusion server. I'm pleased to announce that the paid subscriptions for HackMyCF now let you know which cumulative (non security) hotfixes you have installed, and which ones you don't.
September 19, 2011
Adding Two Factor Authentication to ColdFusion Administrator
A few months back I was researching two/multi factor authentication solutions to employ to meet PCI compliance, I came across a somewhat new company called DuoSecurity.
September 02, 2011
Bug Loading Scripts for CFFileUpload and CFMediaPlayer
It has recently come to my attention that there are some hard coded references to /CFIDE/scripts/ in some of the JS files that are used by the new (in CF9) tags CFFileUpload and CFMediaPlayer.
July 14, 2011
Client Variable Cookie CFGLOBALS Includes Session Ids
I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.
May 17, 2011
Maximum Security CFML - cfObjective Slides
What a great conference cf.Objective() was this year! The quality of presentations was really good and I think that is due both to the speakers and the content advisory board led by Bob Silverberg and including Barney Boisvert, Dan Wilson, Emily Christiansen, Jason Dean, Kurt Wiersma, Marc Esher.
April 21, 2011
ColdFusion Lockdown Series - Multiple Partitions
One of the most frequent questions I get about the Adobe ColdFusion 9 Lockdown Whitepaper is:Why do you suggest using 3 partitions when installing ColdFusion?
March 17, 2011
ColdFusion's Builtin Enterprise Security API
One of the nice side effects to installing the latest ColdFusion security hotfix is that ColdFusion 8 and ColdFusion 9 now both include the jar files for the OWASP ESAPI or Enterprise Security API.
March 08, 2011
Recent ColdFusion Security Hotfix Updated Today
Adobe has updated the security hotfix that was released last month (February 2011) APSB11-04. The technote states that all users should re-apply the hotfix:Adobe has received a few issues with the Security Hot fix released on February 8, 2011.
February 16, 2011
Java 1.6.0_24 Released Patches DOS Vulnerability
As mentioned last week, a pretty serious Denial Of Service vulnerability in the Java Virtual Machine was disclosed. It is important that you look into resolving this issue if you run any java based server side applications (including ColdFusion).Yesterday Oracle released Java 1.6.
February 09, 2011
Important Java Security Patch Released
Oracle has just released a patch for a critical denial of service vulnerability (CVE-2010-4476) in the Java Runtime.I have confirmed that this is easily exploited on a ColdFusion server running an unpatched JVM. It's very very probable that you have code that could be exploited.
February 01, 2011
HackMyCF Scanner Updated
Yesterday I added some additional functionality to the HackMyCF ColdFusion Server Security Scanner:Now Checks for an exposed WEB-INF directory - The content in the WEB-INF folder should not be served up to the public. If it is under the web root, it must be blocked by the web server.
January 10, 2011
Changing the ColdFusion CFIDE Scripts Location
One of the things that the HackMyCF ColdFusion server security scanner looks for, is if the /CFIDE/scripts/ folder is in it's default location. There have been security vulnerabilities located in this folder in the past, most notably was the FCKEditor Vulnerability in ColdFusion 8.
January 04, 2011
Announcing HackMyCF Paid Subscriptions
Hopefully you are now aware of the service I created in October 2009 called HackMyCF, it's been used to help secure over 3000 ColdFusion servers! If you're not familiar, it is a scanner that looks for security vulnerabilities on your server.
September 17, 2010
HTTP Strict Transport Security
An emerging standard called Strict Transport Security is starting to gain some traction among web browsers. Google Chrome supports it and Firefox is working on it (currently supported in the noscript FF extension).
September 13, 2010
Setting up HTTPOnly Session Cookies for ColdFusion
Internet Explorer pioneered a great security feature for cookies called HTTPOnly, when this flag is set the browser does not allow JavaScript to access the cookie. Now that all modern browsers support this flag it can reduce the risk of session hijacking due to cross site scripting.
August 12, 2010
Path Traversal Vulnerability Security Hotfix for ColdFusion Released
Adobe released a security hotfix for a path traversal vulnerability in ColdFusion administrator (CVE-2010-2861, APSB10-18). On the Adobe security bulletin page it lists affected software versions: ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX.
August 05, 2010
Using AntiSamy with ColdFusion
How do you protect your code from Cross Site Scripting (XSS) when your business requirements state that the user must be able to input HTML? This can be a difficult problem to solve and XSS is very difficult to filter against because there are hundreds of attack vectors.
August 05, 2010
Writing Secure CFML Slides from CFUnited 2010
As promised I just published the slides for my Writing Secure CFML presentation at CFUnited 2010.You can even watch a recording of the presentation brought to you by Tim Cunningham of CFMumboJumbo.com:
August 04, 2010
Locking Down ColdFusion Presentation Slides
The slides for my 2010 CFUnited presentation Locking Down ColdFusion are now available. The presentation is based on the ColDFusion 9 Lockdown Guide whitepaper that I wrote for Adobe. It covers various techniques to make your ColdFusion installation more secure.
July 21, 2010
Cross Domain Data Theft using CSS
FireFox (3.6.7) released today fixed an interesting security vulnerability called Cross Domain Data Theft using CSS discovered by Google security researcher Chris Evans.
June 18, 2010
10 Ideas to Improve Security in ColdFusion 10
I do a lot of work related to security in ColdFusion and I've been keeping a list of ideas and features that could make a future version of ColdFusion more secure.
June 14, 2010
CFMeetup Thursday: Intro to FuseGuard and Web Application Firewalls
I will be presenting at the ColdFusion Meetup online user group this Thursday (June 17th) at Noon Eastern Time. The topic: Introduction to FuseGuard and Web Application Firewalls.
May 13, 2010
How to Disable Robust Exception Information on Railo
As you know one of the first things you should do on a production ColdFusion server is disable robust exception information (this includes things like source code, and file path disclosures in error messages), in the ColdFusion Administrator.
April 28, 2010
Is your ColdFusion Administrator Actually Public?
Every so often I get an email back from someone who ran HackMyCF.com saying something like this:Your scanner says our ColdFusion Administrator is publicly accessible, but I don't think that's true.
April 27, 2010
HackMyCF.com Now Detects BlazeDS Vulnerability
I've just finished updating the HackMyCF.com ColdFusion security scanner to detect the BlaseDS Vulnerability APSB10-05 announced in February 2010. As you hopefully know, this vulnerability also effects ColdFusion 7-9, because it has BlaseDS installed by default.
April 27, 2010
How to tell if a site takes security seriously
Here are some easy ways you can tell if a particular site is serious about security:
March 23, 2010
Last Day to win Free ColdFusion Security Training
As you may have heard, Jason Dean and I are teaching a cf.Objective() pre-conference one-day hands on ColdFusion security training class. We are giving away a seat to the class, and today March 23rd is the last day to enter (you must enter by 5pm Eastern Time), you can enter once per day.
February 16, 2010
Request Filtering in IIS 7 Howto
I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.
February 04, 2010
Hands on ColdFusion Security Training
One of the best ways to really learn about something, is to roll up your sleeves, get your hands dirty. This is especially true for learning about security, it can be difficult to fully understand how attacks work by just reading about it.
January 29, 2010
ColdFusion 9 Solr Vulnerability - Are you at Risk?
Adobe just released a security bulletin APSB10-04 for ColdFusion 9. If you have the Solr Search Service running on a ColdFusion 9 server it binds the Solr Web Service to port 8983 on all IP addresses. Adobe has also released a Technote describing how to fix the issue.
December 10, 2009
CFLogin Security Considerations
If you use the cflogin tag to manage authentication you should consider setting loginstorage="session" in your Application.cfc or Application.cfm file for better security.
November 18, 2009
How to Get a Green SSL Certificate
Just as SSL Certificates were starting to become really inexpensive, they figured out a way to start charging more money again.
November 17, 2009
Slides for NYCFUG Security Presentation
Here are the slides for my Writing Secure CFML presentation given to the New York City ColdFusion Users Group November 10th, 2009. Enjoy.
November 12, 2009
FuseGuard Released - Protects your ColdFusion Apps
I am happy to announce today the release of FuseGuard Web Application Firewall for ColdFusion!FuseGuard 2.
November 10, 2009
Speaking at NYCFUG Tonight - Writing Secure CFML
I will be speaking at the New York City ColdFusion Users Group meeting tonight at 6:30pm on Writing Secure CFML.We will discuss several web application vulnerabilities that ColdFusion developers need to be aware of, and how to prevent them from being exploited in your Web Applications.
October 23, 2009
Howto Require SSL for ColdFusion Administrator
A good security practice is to require SSL for ColdFusion administrator access (an even better practice is to limit access to localhost). This should only take less than five minutes on either Apache or IIS.
October 22, 2009
You May Need to Reapply CF Security Hotfix CVE-2009-1877
Back in August Adobe released a series of ColdFusion security Hotfixes in security bulletin APSB09-12. One of the vulnerabilities that was supposed to be fixed was a Cross Site Scripting vulnerability that I found and reported to Adobe, known as CVE-2009-1877.
October 21, 2009
ColdFusion Server Security Scanner
My company Foundeo Inc. released a new free web service today called HackMyCF that allows you to scan your ColdFusion server to detect the absence of recent ColdFusion security hotfixes as well as other security problems.
October 20, 2009
Prefix Serialized JSON in ColdFusion
When ColdFusion 8 added the ability to return data from remote functions formatted with JSON they also added some settings that allow you to put a prefix on the JSON string.
October 15, 2009
FCKeditor Access Denied
I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working.
October 08, 2009
IIS: Disabling Weak SSL Protocols and Ciphers
It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards.Requirement 4.
September 30, 2009
Using Railo, Secure The railo-context
If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings.Note: This is one issue that HackMyCF.
August 20, 2009
ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only
There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.Whether or not this hotfix is required on IIS has been a question posed by many.
August 18, 2009
ColdFusion Security Hotfixes Released
Adobe posted several critical hotfixes for ColdFusion and JRun yesterday in Security Bulletin APSB09-12.I discovered one of the XSS vulnerabilities, and I will post details about it soon. In the mean time, please patch your servers.
August 06, 2009
Security Tradeoffs
I've said it before, tradeoff's pop up in programming all the time. They are often difficult decisions, with no easy answer, and we often make the wrong decision.
July 08, 2009
Hotfix for CF8 FCKeditor Vulnerability Released
Adobe has just released a security hotfix for the FCKeditor vulnerability in Coldfusion 8.Also of Note, Adobe's Terry Ryan posted a blog entry today detailing How to report a ColdFusion Security Issue to Adobe.
July 06, 2009
Hardening ColdFusion - cfObjective 2009 Presentation Slides
I've been meaning to post the slides the presentation I gave at cf.
July 06, 2009
Risks of FCKeditor Vulnerability in CF8
I've had a chance to look at the FCKeditor code a little bit in order to determine what the risks actually are of this vulnerability.
July 03, 2009
ColdFusion 8 FCKeditor Vulnerability
There have been a few stories about a vulnerability in FCKeditor that is bundled with ColdFusion 8, first on SANS and now on The Register.The FCKeditor ColdFusion connector isn't enabled on all CF installations, I think if you installed a fresh 8.0.
June 30, 2009
Firefox 3.5 Introduces Origin Header, Security Features
FireFox 3.5 was just released about a half hour ago. You can checkout all the new features for web developers here.For me, as someone that does a lot of security research one of the most interesting new features is the Origin http header that FireFox 3.5 now sends.
June 24, 2009
Tips for Secure File Uploads with ColdFusion
Allowing someone to upload a file on to your web server is a common requirement, but also a very risky operation. So here are some tips to help make this process more secure.Don't rely on cffile accept attribute
The accept attribute gives a terrible false sense of security.
April 09, 2009
Devnet Article on Securing CF From SQL Injection
I was just reading through this article on Adobe Devnet titled Secure your ColdFusion application against SQL injection attacks, and I have a few issues with the article.
March 26, 2009
Web Application Firewall for ColdFusion Launched
I'm excited to announce today the launch of Foundeo's latest product: the Foundeo Web Application Firewall for ColdFusion. The product can block or log malicious requests to your ColdFusion applications.
July 24, 2008
Mastering CFQUERYPARAM
If you haven't been using the cfqueryparam tag, chances are you had a baptism by fire this week. As you may have heard, lots of ColdFusion powered sites were targeted by hackers using SQL Injection this week.
November 16, 2007
Hash those Passwords
Spry recently had an embarrassing security breach, in which several email addresses and passwords were stolen.To start with it appears that the breach was made through some malware/spyware installed on an employee's office computer.
July 31, 2007
ColdFusion 8 Security Whitepaper
Adobe has published a whitepaper called: ColdFusion 8 Product Security Briefing, which outlines the results of an independent security audit from Information Risk Management Plc.
July 19, 2007
Firefox Now Supports HttpOnly Cookies
You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1.Firefox 2.0.0.5, which was released just the other day, now supports it.
July 09, 2007
ColdFusion Security Presentation Slides
I want to thank everyone who attended my sessions at CFUnited this year. I was particularly amazed by the turnout for Building Secure CFML Applications. Here are the slides for the presentation.
July 09, 2007
Announcing Web Application Firewall for ColdFusion
I'm proud to announce a Web Application Firewall for ColdFusion, a new product that I have been working on. This product detects malicious requests (such as SQL Injection, Cross Site Scripting, etc) and then logs, filters, or blocks the request.
July 09, 2007
Web Application Security Blog Aggregator
Christian Matthies has recently setup an aggregator for web application security related blogs called Planet Web Security. Highly recommended for staying on top of the latest web application security threats and exploits.
May 29, 2007
CFPARAM for Simple String Validation
With the addition of a dozen new type values for the cfparam tag in ColdFusion 7, it has become a handy tool for validation.I have a little trick for those of you who are using earlier versions of ColdFusion that don't support the new types for validation.
November 02, 2006
The Dangers of Flash's crossdomain.xml
PHP security guru Chris Shiflett has a great post about the dangers of Cross Domain Flash. If you have implemented a crossdomain.xml file you will want to read his post.If you have a crossdomain.
November 02, 2006
Web Application Vulnerabilities trump Buffer Overflows
This should be an eye opener to many. In September Mitre reported that web application vulnerabilities are claiming the top three spots on their CVE request list, beating out Buffer Overflows.Cross Site Scripting (21.5%)SQL Injection (14%)PHP includes (9.5%)Buffer overflows (7.
June 30, 2006
Web Application Security Cheat Sheet
SecGuru has posted a cheat sheet for Web Application Security. There is also an earlier version of the cheat sheet as well.This is a handy reference, but it is good to keep in mind that no book, or article about security is ever exaustive or conclusive.
June 28, 2006
Secure Browsing Mode
Ivan Ristic has posted a proposal on his blog called: Secure Browsing Mode [PDF].In the document Ivan lists some of the possible effects of his proposal:
Eliminate Cross-Site Request Forgery.
Eliminate off-domain information leakage.
June 11, 2006
Amazon CTO on Security
Credit card information should be kept in a physical secure location separate from your other servers with armed guards in front of it (I am not kidding)...
May 17, 2006
Web Form Security and the Middle Man
A friend of mine, Matt Finn, was telling me about a security issue he realized recently.
May 02, 2006
How To Scream Unsecured
I was considering purchasing something from a foreign site today (I'm not going to name names), but then I noticed this link on the order form page:I'm speechless!
April 21, 2006
How to Break Web Software
There is a good presentation on Google Video called How To Break Web Software - A look at security vulnerabilities in web software given by Mike Andrews to Google staff. Mike's book also happens to be called How to break web software.
January 27, 2006
Secure Forms
Chris Shiflett, the author of Essential PHP Security posted a cool idea on his blog about secure forms. His idea was to have browsers show visually that a form action is secure (going to a HTTPS page). A good idea, I hope to see that implemented.
December 06, 2005
Howto Disable the Server Header in IIS
Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article.
December 06, 2005
20 ways to Secure your Apache Configuration
Here are 20 things you can do to make your apache configuration more secure.Disclaimer: The thing about security is that there are no guarantees or absolutes.
November 23, 2005
Top 20 Internet Security Vulnerabilities of 2005
SANS has published a list of the top 20 internet security vulnerabilities of 2005. The list is not however cumulative, it features security vulnerabilities that have been the most prevalent within the past year and a half.
October 13, 2005
MySpace Hacked with CSRF and XSS
It seams that someone recently hacked myspace.com, the ColdFusion powered community site with millions of users.
October 07, 2005
Turn off autocomplete for credit card input
Memo to web developers building sites that accept credit card numbers:Always, always set autocomplete="off" in the input tag.
September 09, 2005
RDS Security Problems?
Erki Esken posted a comment on Ben Forta's blog asking if the source to the RDS plugin for Eclipse would be released. Forta's response was:"But, my gut feel is that it would not be a good idea to fully expose the source for RDS as that may create potential security problems.
August 29, 2005
Portable Web Application Firewall Rule Format
Ivan Ristic, the author of Apache Security, and the mod_security Apache module, and Java Filter, is trying to create a spec called the Portable Web Application Firewall Rule Format.
July 25, 2005
ServerTokens Prod, ServerSignature Off
I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.
July 19, 2005
Oracle Critical Updates
Oracle has released a critical patch update for several of its products, (database server, enterprise manager, application server, e-business suite, workflow, forms, reports, JInitiator, developer suite, and express server).
June 13, 2005
Free Chapters in Apache Security
Ivan has made two chapters from his book Apache Security available for download. He just released the chapter on secure php configuration, and the chapter on installation and configuration was previously made available.
June 10, 2005
HTTP Request Smuggling (HRS)
WatchFire has released a white paper on HTTP Request Smuggling - a new type of attack that targets multi-layer HTTP stacks (proxies, caches, firewalls).What is HTTP Request Smuggling?
HTTP Request Smuggling (HRS) is a new hacking technique that targets HTTP devices.
May 18, 2005
Detecting SQL Injection with ScriptProtect
It occurred to me this morning that ScriptProtect can be a handy feature for globally catching a few forms of SQL Injection AttacksWARNING - just like its inability to protect against all forms of XSS attacks this solution DOES NOT protect you from all SQL Injection attacks.
May 17, 2005
ScriptProtect in ColdFusion MX 7 not a catch all
ColdFusion MX 7 has a new feature that lets you "lets you protect one or more variable scopes from cross site scripting (XSS) attacks". It can be turned on in the cfapplication tag using the scriptProtect attribute, or in the ColdFusion Administrator as a global setting.
May 11, 2005
Cross Site Request Forgery (CSRF) Attacks
I found a site that has some good security tips for web developers. It mentions one type of attack that doesn't get much attention - called Cross Site Request Forgery (CSRF).
April 27, 2005
Please do not go to this website!
Via Loose Wire - Someone has registered the domain googkle.com, the site attempts to install spyware, viruses, etc.
February 17, 2005
Apache mod_rewrite URLs Also Provide Validation
I Realized something when using Apache mod_rewrite for search engine safe url's, they also provide input type validation. I can use mod_rewrite to ensure that only integers are passed in my url in the id.For example, on my site macread I use url's like: http://macread.
August 19, 2003
Real World Linux Security
I read part of Real World Linux Security this weekend. It's a very detailed book that covers a wide range of security topics, from an author with lots of security experience.
