10 Ideas to Improve Security in ColdFusion 10
I do a lot of work related to security in ColdFusion and I've been keeping a list of ideas and features that could make a future version of ColdFusion more secure. Here's 10 ideas in no particular order:
- Add an
allowedextensionsattribute to cffile for action=upload and deprecate the
acceptattribute - The
acceptattribute is useless as far as security goes since the mime types come from the client, you can easily spoof this (example). This new attribute would simply be a list of file extensions that you allow to be uploaded, eg "jpg,png,gif,jpeg".
- Ask for a Windows Username to run ColdFusion services as during installation - The ColdFusion installer already does this on a unix install, but not windows. This should setup permissions on the ColdFusion installation directory.
- Update Documentation and verbage related to ScriptProtect so people don't think it completely protects you from XSS - It's a very weak protection, yet alot of people think it fully protects them. I think this is due to how it is worded in the CF Administrator and documentation.
Application.cfcvariables and CF Administrator settings to specify
domainfor session cookies (CFID, CFTOKEN, jsessionid)
- Allow administrators to change the root ColdFusion Administrator username to something other than admin - Admin is always the default super user for ColdFusion administrator, it would be nice if you could specify an arbitrary username instead.
- Create an audit log for ColdFusion administrator changes.
- Improve ScriptProtect - I know this feature will always be insufficient, but alot of people use it. It could be improved quite a bit, it should at least block iframe tags!
- Remove the possibility of CRLF injection - Any tag that outputs headers (for example
cfmail(subject attribute, or cfmailparam)) should strip the CRLF characters, so you can't inject new headers. Please vote for bug 83739
- Make addtoken=false default for cflocation - Whenever you do a cflocation it puts the session id's in the url query string. Users don't know that if they copy and paste the link somewhere it allows whoever visits the link to be logged in as them.
- Linux Installation scripts should detect SELinux and be able to install on SELinux. - You can still run ColdFusion on SELinux but it takes some configuration. (I provided some instructions in the ColdFusion 9 Lockdown Guide that I wrote)
If you like any of these ideas you can add them to this survey for ColdFusion 10, and feel free to post some more ideas in the comments!
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- Client Variable Cookie CFGLOBALS Includes Session Ids - July 14, 2011
- Maximum Security CFML - cfObjective Slides - May 17, 2011
- Writing Secure CFML Slides from CFUnited 2010 - August 5, 2010
- Coldfusion 9 Umfrage www.coldfusion-blog.de
Jason Dean has a comprehensive blog post about it here http://www.12robots.com/index.cfm/2008/9/9/Enhancing-ColdFusion-Script-Protection--Security-Series-10.
Amen on #9. Probably unlikely, though. The CF team takes backwards compatibility pretty seriously, and changing that would break any sites that rely on URL tokens.
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained