ColdFusion FAQ





	To the index Security How can I encrypt my ColdFusion templates so other people can't view the source code? How can I make passwords for user logins? How can I password-protect parts of a website using ColdFusion? How secure is encrypting ColdFusion templates? I've forgotten the ColdFusion Administrator password. What can I do? Are there any companies that run security checks on servers? How can I check for the existance of files on a server that could be used maliciously by a hacker? How does the ColdFusion service interact with IIS in terms of security? What basic security steps should I take to make sure a ColdFusion server is secure? Where can I find out how to improve the security of my IIS installation? Beginner How can I encrypt my ColdFusion templates so other people can't view the source code? In your CFInstallFolder\Bin\ there is a file cfencode.exe. Run it. It provides good instructions on how to run the program. It will encrypt your template. There is a tutorial at http://cfhub.com/tutorials/cfencode/ to question How can I make passwords for user logins? Use CF_RandomPassword. It's a custom tag that will generate a password every time it's run. You can alter the formatting of the password too. Alternatively, obtain CF_EzPassword. It does not require a database or client/session management to work This means that you can set up. CF_EzPassword quickly and run it on any server using ColdFusion (version 4 or higher) without any additional installation. CF_EzPassword works by storing an encrypted string into the user's browser via a cookie. CF_EzPassword even allows you to specify the key to be used in the encryption, which nearly eliminates any chances of someone decrypting the string. to question How can I password-protect parts of a website using ColdFusion? You can use a custom tag called CF_Login. You need to setup a DSN with UserID/Password if you haven't done so already. http://www.cftutorials.org/ Tutorial on login systems http://www.cfnews.net/ Guide to login with CF Here's a simple security template design I created for ACFUG. You are welcome to take a look at it if you want. The simple Access DB need to be created as a datasource called "SampleDB". It uses session variables, and requires CF4. not a solution for all apps, but gives an idea of a general security structure. All the login sequence info is stored in the _Login.cfm file, which is simply included in the application.cfm file. There are a few other goodies that will make your life easier in the application.cfm file as well. Basically, it verifies your login to a database UN+PW entry, and then stores that user's vitals in a one session variable as a structure (query). http://www.berryalumni.com/cf/security.zip Tutorials/example apps http://www.acfug.org/downloads/acfug062399.zip http://www.sccfug.org/p/documents/SecurityApplicationShell.zip to question How secure is encrypting ColdFusion templates? Not very. In fact, totally unsafe, since the advent of the decrypt utility. See why at Shrewm. to question I've forgotten the ColdFusion Administrator password. What can I do? In ColdFusion MX, open the file C:\Program Files\ColdFusionMX\lib\neo-security.xml. Alter <var name="admin.security.enabled"> <boolean value="true" /> </var> to read <var name="admin.security.enabled"> <boolean value="false" /> </var> Restart the ColdFusion MX Application Server service. You can then open the ColdFusion Administrator without being prompted for a password. Enter the new password twice, but don't check the Use a ColdFusion Password box. Click the Submit button and close the browser window. Edit the admin.security.enabled node in neo-security.xml back to true again and restart the ColdFusion MX Application Server service. You will then be able to access the ColdFusion Administrator by supplying the new password. As a side note, I found that just ticking the Use a ColdFusion Password box in the Administrator just displayed a message saying "Unable to change password" and bombed me out. The procedure above seems to work fine, though. In ColdFusion 5 Server and earlier, run regedit and go to to HKLM\Software\Allaire\ColdFusion\CurrentVersion\Server Change UseAdminPassword from 1 to 0. This will allow you to get into your ColdFusion Administrator without being asked for a password. Remember to turn on password protection from the Administrator once you get in and change the password. to question Advanced Are there any companies that run security checks on servers? http://www.iss.net/ ISS http://www.l0pht.com/ L0pht Heavy Industries http://www.trustedsystems.com/ Trusted Systems http://www.netcraft.com/security/ http://www.nmrc.org/ http://www.pharlap.com/ http://www.eeye.com/ to question How can I check for the existance of files on a server that could be used maliciously by a hacker? When you install ColdFusion Server, you are given the option of installing the online documentation and sample applications. If you choose to install them, they will be installed on the server in the CFDOCS directory just below the web root. Installing the sample application is never a good idea as they could be exploited maliciously. MunchkinLAN is a ColdFusion based security viewer from http://www.houseoffusion.com/. It allows you to enter a domain name and test if certain vulnerable files exist on that domain. to question How does the ColdFusion service interact with IIS in terms of security? CF runs as a separate service, but it also integrates with IIS using an ISAPI extension. The ISAPI extension runs in-process with IIS, just like the ASP engine, and when a request is received that is mapped to the file extension associated with the ISAPI extension (typically .cfm and .dbm, although those can be changed in the IIS management console), the request is forwarded to the CF service for processing. IIS and NT security are used to determine whether the user can request the file in the first place. This happens before the request is forwarded to the CF service. So, you'll generally follow the same procedure for securing CF applications with ACLs that you would with an ASP application. CF, by default, runs as a service using SYSTEM privileges. You can change this, though; instructions for doing this are available at http://www.defusion.com/articles/index.cfm?ArticleID=89 to question What basic security steps should I take to make sure a ColdFusion server is secure? The only way to prevent being hacked it to secure your site. There are a few rules here: Remove all example applications from live machines. Review all security docs from phrack, l0pht, HoF and Allaire (the last two assuming your using CF). Use a hacking script to see if there are any obvious holes. If your really worried, have a security expert come in to review your setup. As long as you have removed all of the CFDOCS (or password protected them), checked your DB permissions (SQL not running as SA), upgraded to MDAC 2.1 (if using access), and have not left any of your programs open (like uploaders and such) then CF is rather secure. The only times people have walked into a server through CF is when they were using one of these exploits. to question Where can I find out how to improve the security of my IIS installation? Read the IIS installation checklists on the MS security site http://www.microsoft.com/security/ and on securityfocus.com http://www.securityfocus.com/. Read about how to use ACLs http://www.trustedsystems.com/ Finally, there's a very good O'Reilly book on securing NT/2K servers called "Securing Windows NT/2000 Servers for the Internet". http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asp to question

Security

Beginner

Advanced