Entries Tagged as “ Security”

Updates for ColdFusion 11, ColdFusion 10 and ColdFusion 9 released

October 14, 2014 / Krishna Reddy

  Security | Adobe ColdFusion | Adobe ColdFusion 10 | Adobe ColdFusion 11 | ColdFusion | ColdFusion 11

The following ColdFusion updates are now available for download:

ColdFusion 11 Update 2

This update contains fixes for vulnerabilites mentioned in the security bulletin APSB14-23.

For the details refer this technote.

ColdFusion 10 Update 14

This update includes Tomcat upgrade to 7.0.54, Tomcat connector upgrade to 1.2.40, support for JDK 8 and Apache 2.4.x, fixes for vulnerabilites mentioned in the security bulletin APSB14-23 and fixes for 63 other bugs.

For the details refer this technote.

ColdFusion 9.0.2, ColdFusion 9.0.1 and ColdFusion 9.0 security update

This update contains fixes for vulnerabilities mentioned in the security bulletin APSB14-23.

For the details refer this technote.

 


Security Enhancements in ColdFusion Splendor - PBKDF2 and AntiSamy

April 07, 2014 / Pavankumar

  Security | ColdFusion 11 | Splendor | web application security

ColdFusion 11 added few more security functions to the rich set of coldfusion security functions. Some of them includes protection against XSS using AntiSamy framework, PBKDF2 key derivation etc. In this blog post we will introduce you to the Antisamy and PBKDF2 key derivation functions added in coldfusion Splendor.

AntiSamy Support:

If there is a need to accept HTML/CSS input from the user then there is high possibility that the input containing XSS. In this case We can not use encoding functions as the HTML/CSS as the input need to be rendered by the browser. AntiSamy API provides an input validation technique which helps programmer to verify user-driven HTML/CSS input markup using a whitelist policy to ensure the input does not contain XSS. Antisamy validates using a policy file in which we can specify which HTML tags, attributes, css properties are allowed in the given input. The policy gives us more control on input validation/sanitization by providing directives,  regular expressions, rules for htmt tags and css properties . AntiSamy provides some example policy files which can be downloaded from here. They can be modified to suit your own project requirements. Check AntiSamy developer guide to know more about policy files.

Two new functions isSafeHTML and getSafeHTML were added which validates and cleans the given unsafe html as per the given policy.

isSafeHTML can be used to know whether the given input markup is in accordance with the rules specified in the antisamy policy. Returns true if valid else false if any violations are found.

getSafeHTML sanitizes the given input based on the the rules specified in an antisamy policy file. Returns cleanHTML string by cleaning the input against the defined policy.

The function syntax as below:

getSafeHTML(input [, PolicyFile ], throwOnError])
isSafeHTML(input [, PolicyFile ])
where

input      The HTML input markup text to sanitize/validate.

PolicyFile (Optional)      Specify the path to the AntiSamy policy file. Given path can be an absolute path or a relative to the Application.cfc/cfc.Given path can be an absolute path or a relative to the Application.cfc/cfc.In case if not specified, there is a provision to set this at application level. Else the default policy file shipped with ColdFusion will be used. Default policy antisamybasic.xml can be found in the lib directory.

throwOnError (Optional)       If set to true and given input violates the allowed HTML rules specified in the policy file an exception will be thrown. The exception message contains the list of violations raised because of the input. If set to false ignores the exception returns the HTML content filtered, cleaned according to the policy rules. Defaults to false.

Policy file can be set at application level using the key this.security.antisamypolicy in Application.cfc. The value must be an absolute path to the policy file or relative to the Application.cfc/cfm.

<cfcomponent>
<cfset this.security.antisamypolicy = "antisamy.xml">
</cfcomponent>

Here is a simple example which uses antisamy-tinymce.xml policy which allows many text formatting tags ,simple css properties and disallows javascript.

<!--- I am just using static input in this example when using this replace it with the relevant form parameter --->
<cfset unsafeHTML = "<script>alert('lorem ipsum lorem ipsum');</script><b>lorem ipsum lorem ipsum</b>">
<cfset isSafe = isSafeHTML(unsafeHTML)>
<cfset SafeHTML = getSafeHTML(unsafeHTML , "", false)>
 
<!--- returns No and provides the clean html as <b>lorem ipsum lorem ipsum</b> removes script from input  --->
<cfoutput> is Safe : #isSafe# Safe HTML : #SafeHTML# </cfoutput>
<cftry>
    <cfset SafeHTML = getSafeHTML(unsafeHTML , "", true)>
<cfcatch type="Application">
<!--- if throwOnError is true get the erros as specified below --->
<cfoutput>
    Errors in the input: <br/> #cfcatch.detail#
</cfoutput>
</cfcatch>
</cftry>

More detailed information and examples on antisamy can be found from here.

PBKDF2 Key Derivation:

PBKDF2 (Password based key derivation function) is a key derivation function which can be used to derive a cryptographic random key of desired key size from the humany-manageable passwords. PBKDF2 is widely used for generating random cryptography keys which can be used as key to encryption and HMAC algorithms. The function syntax as below

GeneratePBKDFKey(algorithm, inputString, salt, iterations, keysize)

algorithm
The encryption algorithm used to generate the encryption key. Supported algorithms are PBKDF2WithHmacSHA1, PBKDF2WithSHA1, PBKDF2WithSHA224,  PBKDF2WithSHA256,PBKDF2WithSHA384, PBKDF2WithSHA512.

inputString
Specify the input string (password/pass-phrase) which will be used for deriving the encryption key.

salt
Random cryptographic salt. Recommended length is 64 bits (8 characters) and must be randomly generated using a pseudo random number generator.

iterations
Desired Number of Iterations to perform the cryptographic operation. The minimum recommended number of iterations is 1000.

keySize
Desired arbitrary key length size in bits.

Below example shows how to derive a 192 bit encryption key from the given password. Then we are using key to encrypt and decrypt the data using AES algorithm. No need to store the encryption key as it will be derived from the password.

salt="A41n9t0Q";
        <!--- hard coding the password but in real password should be from some form parameter ---> 
	password = "Password@123";
	PBKDFalgorithm = "PBKDF2WithSHA224";
	dataToEncrypt= "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua";
	encryptionAlgorithm = "AES";
	derivedKey = GeneratePBKDFKey(PBKDFalgorithm ,password ,salt,4096,192);
	writeOutput("Generated PBKDFKey (Base 64) : " & derivedKey);
	encryptedData = encrypt(dataToEncrypt, derivedKey, encryptionAlgorithm, "BASE64");
	writeoutput("Data After Encryption: " & encryptedData);

        
	salt="A41n9t0Q";
	password = "Password@123";
	PBEalgorithm = "PBKDF2WithSHA224";
	derivedKey = GeneratePBKDFKey(PBKDFalgorithm ,password ,salt,4096,192);
	decryptedData = decrypt(encryptedData, derivedKey, encryptionAlgorithm, "BASE64");
	writeoutput("Data After Decryption: " & decryptedData);


More information and examples on PBKDF2 can be found from here.


Unsafe random bit generation algorithms

December 18, 2013 / Pavankumar

  Security | Adobe ColdFusion 10

ColdFusion Enterprise installation includes FIPS compliant RSA BSAFE JCE Crypto Provider. Default algorithm used by this library for random number generation is ECDRBG (A variant of Dual Elliptic Curve).  RSA has released an advisory regarding same (ESA-2013-068) listing unsafe random bit generation algorithms. 

ColdFusion sets the default random number generator algorithm to FIPS186Random (JVM argument -Dcoldfusion.jsafe.defaultalgo=<algorithm>) which is completely safe to use.  So good news is by default your ColdFusion 10 installation is secure. Note that CrypotJ libraries are not available in Standard installation of ColdFusion. 

ColdFusion 9 family uses BSafe library 3.6 which doesn’t make use of ECDRBG based algorithms. It uses SHA1PRNG as default random number generation algorithm. There is no impact on coldfusion 9. JVM argument -Dcoldfusion.jsafe.defaultalgo is not available in ColdFusion 9 family.

Following table lists unsafe random bit generation algorithms.

Algorithm Identifier Algorithm
ECDRBG Dual EC DRBG (128 Bit)
ECDRBG128 Dual EC DRBG (128 Bit Default)
ECDRBG192 Dual EC DRBG (192 bit)
ECDRBG256 Dual EC DRBG (256 bit)

Pete from CF community has also blogged about the same here

Other Links:

http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-90-A%20Rev%201%20B%20and%20C

http://en.wikipedia.org/wiki/Dual_EC_DRBG


New Security Update Available for ColdFusion 9.0, 9.0.1, 9.0.2 and 10

November 12, 2013 / Pavankumar

  Security | Adobe ColdFusion | Adobe ColdFusion 10 | Announcements | Hotfix | Updates | web application security

New security update is available for coldfusion versions 9.0, 9.0.1, 9.0.2 and 10.0. This hotfix addresses the security issues specified in the technote here. Here is the link to the security bulletin for this hotfix. It also includes few important bug fixes for coldfusion 10 as specified here.

We recommend locking down your server by following the lock down guide and disable unused features in the production environments. 


E-seminar on Security Best Practices for ColdFusion

July 24, 2013 / Shilpi Khariwal

  Security | Adobe ColdFusion | e-seminar | web application security

Recording for e-seminar with Title: Security Best Practices for ColdFusion is available now. See the complete session here.

 

You can also get the slides here.


Blue Mango Theme Design By Mark Aplet

Super Powered by Mango Blog