[Looking for Charlie's main web site?]

Serious security threat for ColdFusion servers [now covered by a hotfix]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Hey folks, there's a fairly serious security threat out in the wild, and you may want to check if your server's been hit. (It may be old news to some, but for now it's hitting people in the past week or so.) It's been confirmed to have hit at least CF9 (9.01 and 9.0.2) servers, but it seems it would apply to as well to CF10 or down to CF 7, as it leverages the Admin API.

And note that it's NOT one that you're protected against by having applied CF security hotfixes. (Updated Jan 15 2013, as Adobe now has a hotfix for this. More below.)

There's quite a bit for you to consider regarding this recent threat, as I discuss here.

[....Continue Reading....]

Have you noticed the ColdFusion 10 admin allows only one login at a time? It's by design

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Someone raised a question on one of the Adobe forums saying that they kept getting kicked out of (logged off) the CF Admin in CF10.

Ultimately, he realized it was that when one of his colleagues logged into CF 10 Admin, he got logged out, and vice-versa. Certainly frustrating.

And yes, it's by design in CF10, as part of various security enhancements. The issue is that only one person can be logged in to a given account name in the CF Admin (by default, it's "admin"). There is a solution: create new logins for each person needing to access the Admin. I discuss this and much more below.

Update 1: Since I wrote this entry back in June '12, I did a video for Adobe about a year later where I walk through this in several minutes. You may want to check that out.

Update 2: Great news for those using CF11: CF11 addresses this problem with a new feature in the CF Admin. You may want to read ahead to understand the problem to appreciate the point of this solution. Anyway, see the Security > Administrator page and its option, "Allow Concurrent Login Sessions for Administrator Console". The docs say that it will be disabled by default, allowing multipel logings, unless you choose the "securee profile" option during installation or via the admin (the ability to change that in the Admin is another new feature of CF11), in which case concurrent access by a given account it will be disabled.

Where's is this change in CF10 documented?

[....Continue Reading....]

CF911: Have you updated your ColdFusion JVM to _24 yet? Important security fix for CF 8/9

Note: This blog post is from 2011. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
This isn't new info, but you may have missed it. If you're running CF 8 or 9, did you know you can and should update the JVM that came with it? And that you have Adobe's blessing to do this update? This is because of a serious bug in the JVM that is not fixed until 1.6.0_24.

Both CF 9.0 and 9.01 run on older JVMs (and therefore need this update). And are you on CF8? You're not left out: Adobe even has confirmed this update can be applied to CF 8 and 8.01, too!

Note: if you are finding this blog post because you're searching the web for help on updating the JVM that underlies ColdFusion, note that this is a very old post (2011) about one specific JVM version. Instead, for a more general discussion of updating the JVM, and especially about solving and preventing common problems when doing that, see my more "recent" (2014) and more elaborated post: CF911: 'Help! I've updated the JVM which ColdFusion uses, and now it won't start!'.

Still more updates since this originally was posted:

Update 1: Since I wrote this blog entry in Oct 2011, Adobe has since come out with a new technote in Oct 2012 saying that you are now permitted to update to any version of Java 1.6 (for CF 8/9/10).
Update 2: Since posting this note, I've realized I should document an important fact to be aware of if you DO update the JVM: after doing so, it may seem that changes you made to allow CFHTTP calls to SSL pages (or other tags in CFML that talk via SSL or TLS) may "seem to have been lost". The issue is likely that you had modified your current CF setup to import specific certificates for such sites, but those changes are "lost" when you change the JVM that CF is now using (which has its own keystore). But these cert changes can be recovered. For more on that, see the next to last section below.
Update 3: In Feb 2013, Adobe did come out with an update that authorizes moving to Java 1.7 in either 9 or 10. You must apply the update first, though. More in this Adobe blog entry.

Old news, but not everyone knows

[....Continue Reading....]

New "ColdFusion 8 developer security guidelines" at Adobe DevCenter

Note: This blog post is from 2007. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I haven't seen much mention of this elsewhere, but I happened upon a new 47-page whitepaper called "ColdFusion 8 developer security guidelines", by Erick Lee, Ian Melven, and Sarge Sargent. It's listed in the Adobe Security DevCenter, which shows it having been posted as of today.

Like other whitepapers that have been put together by Adobe, Macromedia, Allaire, and others, this one offers overviews of key concerns along with proposed best practices.

Is it complete? Does it really need to be?

As with any such document, there will be debate among some readers about whether the practices are always really the "best". It's inevitable. But let's give credit that the authors do try to give a rather brief round up of the features, their options, and the impact of choices.

Just as Ben's famous CF "Certification Study Guide" is a quick summary of key things in CFML (and no substitute for the complete ColdFusion documentation or the WACK books), so too would I argue that this guide is a quick summary of important points to consider. Readers would do well to understand the issues completely, both in terms of the generic concerns they raise and the specifics of CFML features and options. For that, the docs and other books would be great resources.

Still, many readers won't have time for that, so despite the fact that some may pick it apart, it will serve a large percent of the community who might otherwise have no knowledge of the concerns and configuration features. For that, we should thank the authors.

Its sections

The document is divided into the following sections: Authentication, Authorization, CFCs, Session Management, Data validation and interpreter injection, Ajax, PDF integration, .NET integration, HTTP, FTP, Error handling and logging, File System, Cryptography, Configuration, Maintance and References.

Earlier editions, and what's updated in the CF8 guide?

While the guide does focus on CF8, there is another version of the document for those running CF7, the "ColdFusion 7 developer security guidelines". It, too, is by 2 of the 3 authors of the other whitepaper, Erick Lee and Sarge Sargent. It's only 33 pages, and it too is listed at the Adobe DevNet Security Developer Center, where it show it having been updated as of Oct 2007.

You might think that the CF8 guide is updated only to refer to things new in CF8, but in fact I find some things in the CF8 guide that are not in the CF7 guide, but are not new for CF7. Perhaps they decided to expand the CF8 guide in ways that they didn't push back down into the CF7 guide (understandable if time was limited). That means that CF7 developers may want to read the later guide, though they'd have to ignore features that are indeed new to CF8.

For instance, I found a discussion of the trusted cache feature only in the CF8 guide (more on that below). I didn't do a careful comparison of what's different.

BTW, I'll add that I found references in searches both on the Adobe site and Google to a version of the security guidelines at a URL that no longer works. Since I couldn't access it, I was unable to determine how this CF7 version was updated (or if it was simply renamed, to distinguish it from the new CF8 version. Perhaps the authors can comment here if they read this entry.)

Where to offer feedback?

That last comment brings up a concern I have with the whitepapers offered on the Adobe site (and the articles offered on the Developer Center, as well, of which I've been an author recently.) There's no place for folks to leave feedback. It would be nice for there to be a place to have discussions about the things written in such whitepapers or articles. (The Devnet articles do offer a feedback link, but it's one way, not an open discussion.)

I'm sure some will want to comment on or trade best practices regarding the topics in this paper. Also, I'd like to share at least one error I found: in the discussion of the trusted cache feature, it's described as, "Enable Trusted cache in production environments. When enabled, ColdFusion will only server requested templates held in its memory cache. This provides performance gains but also prevents ColdFusion from running hacked or invalid templates."

Yikes. I wonder who wrote that (and who missed it during any review).That's not the purpose of trusted cache at all. It's about whether the server should look to disk to see if a template, once compiled and loaded into memory, has changed on disk. The server always only serves (not the typo, too, "will only server") pages held in its memory cache. Using trusted cache is certainly a performance gain, but I really have no idea what the reference is to "hacked or invalid templates". That makes me think the person writing this has a very wrong idea about the feature. But I'm not meaning to rip the guidelines. As I said earlier, I'm sure that many will find them very useful, and since folks rarely read the docs, it's a nice way to condense into 40+ pages some key points. I'll let others comment here about any other concerns they have. At least it will serve as one place to have such discussion. If there's a better place, I'll welcome people pointing to that.

Copyright ©2019 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting