Entries Tagged as “ Security”
Protecting web applications from CSRF attacks with ColdFusion 10
"Adobe ColdFusion 10" · "productivity" · "Rapid Application Development" · "web application security" · "web programming"
What is CSRF?
Cross-site request forgery abbreviated as CSRF is also known as one-click attack or session riding. CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. (More info inOWSAP site)
Security Hot-Fix for ColdFusion - March 2012
Today, a priority 2 update is released, addressing an important vulnerability in ColdFusion 9.0.1 and earlier. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin
This hot-fix addresses hashDoS (denial of service attack using hash collisions) issue. CV-2012-0770.
I wanted to cover HashDos in details so I have added a separate entry for this. HashDos: DoS using Hash Collisions
New way to add Sandbox permissions for Users with RDS access
Adding users for Administrator & RDS access was a very nice enhancement in ColdFusion 8. With this, Root Administrator can create multiple users with different Roles.
Need of having multiple users is self explanatory. A user can be added to Administrator and given access based on role. Remote Development Services (RDS) access should be granted if a user needs to connect to ColdFusion Builder, Dreamweaver etc.
Till ColdFusion 9.0.1 it was possible to allow access to certain Sandboxes to these users.
However it is changed in ColdFusion 10. There is no need for allowing access to Sandboxes. Instead when RDS access is enabled for a user,access to data sources and files/directories should be given. Else the user will be able to access full drive using RDS. Because these are required for RDS, one can't add/modify/delete these settings if RDS access is disabled for the user.
Follow my blog here to see what's changed.
New & Improved CFLogin
With ColdFusion 10 CFlogin is improved and more secure. The Authorization associated with cflogin for loginstorage"cookie" is much secure. The Authorization cookie,
· Is set to have a short time to live.
· Now it expires by default on browser close and this can be configured using cookie settings discussed before.
· It is by-default set to be on HttpOnly for CF admin console. For other applications, there is provision to configure
There are however some behavioral changes. Read here for further information.
How to Secure ColdFusion Session Cookies with Adobe ColdFusion 10
With ColdFusion 10 a developers can have much stronger and sweeter relationship with security. There are a lot of features in ColdFusion 10 which will help developers and administrators create secure applications. These are very simple to use APIs and configurations. I will start this series today to discuss those from my perspective.
The first and most basic in this series is Handling Sessions Securely.
For ColdFusion sessions, there are two tokens CFID and CFTOKEN. CFTOKEN is randominzed in ColdFusion 10 by default. Remember the option "Use UUID for cftoken" on CF Administrator -> Settings. This is by default checked now.
Cookies are by default not so secure. They are vulnerable for various reasons. Like, cookies are stored in plain text, they can be modified by user, they can sit on your server for long time, they can be accessed by JavaScript etc. So if cookies are also insecure, what should we do?Fortunately there are configurations that can make cookies secure. To see how to enable/set them in ColdFusion 10 read further here.
