The <CFREGISTRY> tag is extremely powerful, and quite likely most devel- opers have never used it. Its purpose is to read, write, create, and delete keys within the system Registry. On Windows, this is the Windows Registry, which is used extensively by many applications, including Windows itself. On UNIX, this is the virtual Registry created by ColdFusion in the file “cf.registry.”
This tag certainly has its uses.You can use it to list all of the Verity collections on the server; you could use it to see if a particular ColdFusion Extension (CFX) tag is installed; or you could use it to get the list of IP addresses for which debug- ging is enabled. Of course, the uses of this tag are not limited to ColdFusion- specific Registry information.You can use this tag to look up Windows’ base Program Files directory, or find information about currently configured printers.
These conveniences can be outweighed by the huge potential for danger from the <CFREGISTRY> tag. Using this tag, all other tags that have been marked as disabled can be reenabled, because this information is stored in the Registry. Many other administrative settings can be changed or read through the Registry, such as application and session variable timeouts, DSN information— even the server’s serial number.Take a look at the HKEY_LOCAL_MACHINE\ SOFTWARE\Allaire\ColdFusion\CurrentVersion branch, especially the Server key (as seen in Figure 3.10), for all of the possible configuration options available through the Registry.
Reading or changing these values could lead to other security holes.
However, of course, there is always the delete action of <CFREGISTRY>. Using this action, a hacker could wipe out entire branches of the Registry, quite possibly
leaving the server in an unusable, or unbootable, state. Imagine how well your server would work if the HKEY_LOCAL_MACHINE\Software\Microsoft branch suddenly disappeared!
Figure 3.10Basic Security Settings Stored in the Registry
<CFREGISTRY> Hole
Need another reason to add extra layers of security—beyond the built-in password—to the ColdFusion Administrator? If your Administrator is pub- licly accessible, and a hacker can gain control over the <CFREGISTRY> tag, you’re in trouble. The ColdFusion Administrator password, as well as the RDS password and the Advanced Security admin password and shared secret, are stored in the Registry. These values are encrypted using the undocumented CFUSION_ENCRYPT function, and can thus be decrypted to plaintext using the CFUSION_DECRYPT function, as long as the encryp- tion key is known. In addition, using <CFREGISTRY>, a hacker can simply blank out the Administrator password so it won’t be required.
On Windows, <CFREGISTRY> is probably the most destructive tag in ColdFusion’s arsenal, followed closely by <CFFILE> and <CFDIRECTORY>. While <CFFILE> and <CFDIRECTORY> allow for mass deletion of files,
<CFREGISTRY> allows for mass deletion of important system configuration.
Many system administrators are savvy enough to place access control lists (ACLs) on the file system, but many overlook ACLs on the Registry, thus giving
<CFREGISTRY> attacks a greater chance of succeeding.
Using the <CFADMINSECURITY> Tag
The <CFADMINSECURITY> tag is used to manipulate the Advanced Security policy store.The Advanced Security components of ColdFusion store informa- tion about policies, rules, user directories, and other resources within this policy store, which can be either an ODBC database or a Lightweight Directory Access Protocol (LDAP) directory.Typically, this data is not manipulated directly.To make changes to the security policy, simply click through the appropriate pages of the ColdFusion Administrator. Behind the scenes, the ColdFusion
Administrator uses the <CFADMINSECURITY> tag (actually, it uses the
<CFNEWINTERNALADMINSECURITY> tag, which wraps and is synony-
mous with <CFADMINSECURITY>).
This is an undocumented, unadvertised tag, meant to be used only within the ColdFusion Administrator. However, nothing will stop you—or a hacker—from using this tag elsewhere within your applications.
This tag has a large arsenal of actions.Table 3.2 lists all of the actions and their associated attributes.
Table 3.2Actions and Attributes of <CFADMINSECURITY>
Action Attributes
ADDHOST IP, NAME, SECRET
ADDUSERDIRECTORY NAME, SERVER
ADDPOLICY DIRECTORY, NAME
ADDRULE DIRECTORY, NAME, RESOURCE,TYPE
ADDRULETOPOLICY DIRECTORY, NAME, POLICY
ADDSECURITYCONTEXT NAME
ADDSECURITYREALM DIRECTORY, NAME, SERVER
ADDUSERDIRECTORY NAME, SERVER
ADDUSERDIRECTORYTOCONTEXT DIRECTORY, NAME
ADDUSERTOPOLICY DIRECTORY, NAME, POLICY, USER
CREATEODBCQUERYSCHEME DESCRIPTION, NAME,
SQLAUTHUSER, SQLENUM, SQLGETGROUPPROP, SQLGETGROUPPROPS, SQLGETGROUPS, SQLGETOBJINFO, SQLGETUSERPROP, SQLGETUSERPROPS, SQLINITUSER, SQLISGROUPMEMBER, SQLLOOKUP, SQLLOOKUPGROUP, SQLLOOKUPUSER, SQLSETGROUPPROP, SQLSETUSERPROP DELETEHOST NAME DELETEODBCQUERYSCHEME NAME
DELETEPOLICY DIRECTORY, NAME
DELETERULE DIRECTORY, NAME, TYPE
DELETESECURITYCONTEXT NAME
DELETESECURITYREALM DIRECTORY, NAME
DELETEUSERDIRECTORY NAME
FLUSHCACHE CACHETYPE
GENERATERULE NAME, OUTPUT, RESOURCE,
RESOURCEACTION, TYPE
GETHOST QUERY
GETODBCQUERYSCHEME NAME, QUERY
GETPOLICY DIRECTORY, QUERY
GETRESOURCEINFO NAME, OUTPUT, TYPE
GETRULE DIRECTORY, QUERY
GETRULEFORPOLICY DIRECTORY, NAME, QUERY
GETSECURITYCONTEXT QUERY
GETSECURITYREALM DIRECTORY, QUERY
GETUSERDIRECTORY QUERY
GETUSERDIRECTORYFORCONTEXT NAME, QUERY
GETUSERFORPOLICY DIRECTORY, NAME, QUERY, USER
GETUSERSFORUSERDIRECTORY NAME, QUERY
Table 3.2Continued
Action Attributes
REMOVERULEFROMPOLICY DIRECTORY, NAME, POLICY, TYPE REMOVEUSERDIRECTORYFROMCONTEXT DIRECTORY, NAME
REMOVEUSERFROMPOLICY DIRECTORY, NAME, POLICY, USER
A very useful application of this tag is to programmatically flush the security cache. Advanced Security caches login credentials according to the cache settings within the ColdFusion Administrator. For a production site, it is best to enable the cache, which speeds up security lookups and lightens the load on the policy store. However, enabling the security cache opens a security hole. If a user- name/password pair is changed or deleted, the old credentials remain in the cache until the cache refreshes (the cache refresh time is configurable in the ColdFusion Administrator).Thus, if a user changes her password, for a period of time she can log in with both her old and her new password. If an administrator deletes a username, that user can still log in for a period of time.You can manually trigger a cache flush using the <CFADMINSECURITY> tag, with the flushcache action; this clears any cached credentials. It is up to you, the application developer, to weigh the seriousness of this security hole versus the performance hit of fre- quently forcing the cache to refresh.
The opportunities for hacking this tag should be obvious. If your application relies on Advanced Security for access control, and a hacker can manipulate your policy store, then that hacker can likely break into your application, or delete or alter your policy store such that no one can log in.
The majority of ColdFusion applications do not use Advanced Security, and even fewer use this undocumented tag. If you are using this tag, you should be aware of the security holes it opens; otherwise, it is best to disable this tag.