10 Ideas to Improve Security in ColdFusion 10
By Pete Freitag
I do a lot of work related to security in ColdFusion and I've been keeping a list of ideas and features that could make a future version of ColdFusion more secure. Here's 10 ideas in no particular order:
- Add an
allowedextensionsattribute to cffile for action=upload and deprecate the
acceptattribute - The
acceptattribute is useless as far as security goes since the mime types come from the client, you can easily spoof this (example). This new attribute would simply be a list of file extensions that you allow to be uploaded, eg "jpg,png,gif,jpeg".
- Ask for a Windows Username to run ColdFusion services as during installation - The ColdFusion installer already does this on a unix install, but not windows. This should setup permissions on the ColdFusion installation directory.
- Update Documentation and verbage related to ScriptProtect so people don't think it completely protects you from XSS - It's a very weak protection, yet alot of people think it fully protects them. I think this is due to how it is worded in the CF Administrator and documentation.
Application.cfcvariables and CF Administrator settings to specify
domainfor session cookies (CFID, CFTOKEN, jsessionid)
- Allow administrators to change the root ColdFusion Administrator username to something other than admin - Admin is always the default super user for ColdFusion administrator, it would be nice if you could specify an arbitrary username instead.
- Create an audit log for ColdFusion administrator changes.
- Improve ScriptProtect - I know this feature will always be insufficient, but alot of people use it. It could be improved quite a bit, it should at least block iframe tags!
- Remove the possibility of CRLF injection - Any tag that outputs headers (for example
cfmail(subject attribute, or cfmailparam)) should strip the CRLF characters, so you can't inject new headers. Please vote for bug 83739
- Make addtoken=false default for cflocation - Whenever you do a cflocation it puts the session id's in the url query string. Users don't know that if they copy and paste the link somewhere it allows whoever visits the link to be logged in as them.
- Linux Installation scripts should detect SELinux and be able to install on SELinux. - You can still run ColdFusion on SELinux but it takes some configuration. (I provided some instructions in the ColdFusion 9 Lockdown Guide that I wrote)
If you like any of these ideas you can add them to this survey for ColdFusion 10, and feel free to post some more ideas in the comments!
10 Ideas to Improve Security in ColdFusion 10 was first published on June 18, 2010.
If you like reading about security, coldfusion, or cfml then you might also like:
- Fixinator and Foundeo Security Bundle
- CFSummit 2016 Slides
- Scope Injection in CFML
- Client Variable Cookie CFGLOBALS Includes Session Ids
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.