; All of the tags mentioned in this chapter have legitimate uses; many of them are extremely powerful. It is this power that can make the tag dangerous.
; You can protect yourself from these tags to an extent by ensuring that ColdFusion runs as a specific user account (not LocalSystem on Windows), and then setting proper permissions on your file system and Registry.
; Most of these tags are only dangerous when a hacker can specify the tag’s attributes, or when a hacker can upload arbitrary code.When these tags are enabled, you should always control how data is passed into these tags. Don’t allow an end user to pass data directly into these tags.
; Certain tags, such as <CFFILE> and <CFFTP>, are “gateway” tags. When used improperly, each of these tags allows a malicious user to place arbitrary code on your server.This arbitrary code could then perform any number of dangerous actions.
; Certain tags, such as <CFREGISTRY> and <CFADMINSECURITY>, have the capability to change the security settings you have set up on your server.These also act as “gateway” tags because they could allow a hacker to enable functionality that you had previously disabled.
; Certain tags, such as <CFEXECUTE> and <CFOBJECT>, extend ColdFusion through other programming environments such as Java,
COM, CORBA, and shell executables.The range of functionality offered in these other environments is so broad that the security holes created by these tags are also extremely broad.
Knowing When and Why You
Should Turn Off These Tags
; As a basic security measure, you should disable every available tag in the ColdFusion Administrator, unless you explicitly need that tag enabled. These tags are too much of a security risk to leave enabled without justification.
; Disabling these tags should be a standard part of your ColdFusion Application Server installation process. It is much easier to start your application development in this clean state than to have to figure out which tags are in use after the fact.
Controlling Threading within Dangerous Tags
; Many of the security risks raised in this chapter are risks because they connect ColdFusion to outside resources, such as the file system, the Registry, or COM or Java objects.
; Because access to resources outside of ColdFusion is not necessarily threadsafe, you should explicitly control threading using <CFLOCK> when accessing these resources within your code. Failure to do so could lead to system instability or data corruption.
Working with Other Dangerous
and Undocumented Tags
; In addition to the tags identified within the ColdFusion Administrator, there are a handful of documented tags and functions that pose security risks.
; There are also some undocumented tags and functions, most of which were written specifically for use within the ColdFusion Administrator. These tags and functions also pose a security risk.
; The only way to disable the use of these tags and functions is to create an Advanced Security sandbox, and run your application within that sandbox.The sandbox can be configured to disallow any tag or function.
Q: How can I restrict the use of any tag, not just those listed in the Tag Restrictions area?
A: You can create an Advanced Security sandbox.The sandbox allows you to restrict access on a directory-by-directory basis to any ColdFusion tag, including those not listed in the ColdFusion Administrator. For more on Advanced Security and sandboxes, see Chapter 6.
Q: How can I restrict the use of ColdFusion functions?
A: This can also be accomplished by using an Advanced Security sandbox. Within the sandbox, you can restrict access to ColdFusion functions. Q: I’m worried about <CFFILE> and <CFDIRECTORY>. I need to have
these tags enabled to allow access to the local file system on the ColdFusion server, which is part of a larger network. Does this mean that these tags also have access to the file systems on the rest of the network?
A: All ColdFusion tags execute with the same permissions as the user account under which the ColdFusion process runs. On a default Windows installation, ColdFusion executes as “LocalSystem,” which is a special account with exten- sive permissions on the local machine, but very few network permissions.The LocalSystem account does not have the capability to access network file sys- tems, and thus <CFFILE> and <CFDIRECTORY> also do not have that capability. If the user account for the ColdFusion Application Server has been changed, and the user account has network privileges, then <CFFILE> and
<CFDIRECTORY> have the same privileges. On UNIX, the default user
account is “nobody,” which also has few network privileges.
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to
Q: I’ve disabled all the tags in the ColdFusion Administrator. I have my ColdFusion server behind a firewall. Am I safe?
A: There is no such thing as truly safe.The only way to be completely, absolutely safe is to unplug your ColdFusion server from the network, and then turn it off. However, to reach a comfortable level of security, you must do more than simply disable certain tags and network ports.You must control how your application works within the code.This means you must understand how the dangerous parts of ColdFusion work, and write your application with these dangers in mind.