Why should you be worried about security?

The Web is changing many of the assumptions that people have historically made about computer security and publishing. As the Internet makes it possible for web servers to publish information to millions of users, it also makes it possible for computer hackers, crackers, criminals, vandals, and other “bad guys” to break into the very computers on which the web servers are running. Once subverted, web servers can be used by attackers as a launching point for conducting further attacks against users and organisations.

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time.

This blog post started on the premise of protecting your website from a SQL Injection Attack. However, it is also appropriate to discuss, at a relatively high level, how to secure your server architecture and applications.

Server-Level Security

• Separate web- and database-servers on to different physical machines.
• Secure the web- and database-servers with traditional techniques. Only authorised accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.
• Keep servers up-to-date with the latest patches and software releases.
• Minimise the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.
• Secure information in transit between servers. This may mean physically securing the network to prevent evesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.
• Secure the database server behind a firewall.

Application-Level Security

• Separate ColdFusion, the webserver and database server user accounts. They should never be under the same system account.
• Create a database user specifically for your ColdFusion datasource and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.
• Revoke privileges in the ColdFusion datasource definition to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.
• General settings in the ColdFusion Administrator:
  • Check the Disable access to internal ColdFusion Java components option.
  • Check the Enable Global Script Protection option.
  • Add a Missing Template Handler.
  • Add a Site-wide Error Handler.
  • Reduce the Maximum size of post data from 100MB.
  • Enable Timeout Requests, and set to 60 seconds or less.
  • Disable Robust Exception Handling on production servers.

Code-Level Security

• Application.cfc – Set the scriptProtect Application variable to true to enable application-wide cross-site script protection.
• CFQueryParam – This tag, importantly, verifies the data type of a query parameter and, for RDBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times.

  <cfquery name="qry" datasource="#APPLICATION.dsn#">
  SELECT column1, column2, column3
  FROM tableName
  WHERE column4 = <cfqueryparam value="#variable1#" cfsqltype="cf_sql_bit" />
  AND column5 LIKE <cfqueryparam value="%#variable2#%" cfsqltype="cf_sql_varchar" maxlength="200" />
  AND column6 IN (<cfqueryparam value="#variable3#" cfsqltype="cf_sql_integer" list="true" />)
  </cfquery>

  There are limitations to the use of the cfqueryparam tag. In ColdFusion 7 for example, you cannot use them in queries using the cachedWithin attribute. Similarly, they cannot be used in ORDER BY clauses, although the use of conditional logic should resolve the need for order by variables.

• Functions – As a rule of thumb, validate all the data being passed into a query prior to it being used. ColdFusion MX 7 saw the introduction of the isValid() function. This function tests whether a value meets a validation or data type rule and can be used to replace a large number of type-specific functions such as isArray(), isBinary(), isBoolean(), isDate(), isNumeric() and isSimpleValue() etc.
• Stored Procedures – I often favour the use of stored procedures over standard queries. Not only do they add an additional level of performance, they provide an additional level of security; ColdFusion does not do any raw processing of queries in the web code, it simply passes variables down the wire to the database server.

Additional Resources

• Web Security, Privacy and Commerce
• O’Reilly’s The Web Application Hacker’s Handbook
• Adobe’s whitepaper – ColdFusion 8 Developer Security Guidlines (PDF, 281k)
• Adobe’s whitepaper – ColdFusion 7 Developer Security Guidlines (PDF, 217k)
• Adobe DevNet – Learning Stored Procedure Basics in ColdFusion 8
• 0×000000 # The Hacker Webzine’s article on Attacking ColdFusion
• Three part series from Mark Kruger (ColdFusion Muse) – Part 1, Part 2, Part 3
• Brad Wood’s article on CFQueryParam is not just for security.

Which ever method is used to inject SQL and ultimately dangerous scripts into the database, we need to know how to deal with the problem and ‘roll it back’ to a safe state.

If you have an up-to-date backup of the database prior to the attack, then restoring the database is the best course of action. If this is not the case, apart from giving yourself a kick for not implementing a backup policy, it is possible to programatically remove the injected string or code using a set of relatively-simple SQL queries.

Programatically Replace Injected Code

Fortunately, by the very nature of an XSS attack, code is appended to the data already in the database — rather than replacing it — which means we simply need to remove the appended content.

Taking a real-world example, below is string that was injected into the database:

"></title><script src="http://1.verynx.cn/w.js"></script><!--

When rendered by a standard HTML page, the string is either displayed to the user agent, or the JavaScript file is called by the page, causing a security threat.

With the example above, we can use the following script to recurse through and create update scripts for every ‘infected’ table and column (of the type char, nchar, varchar and nvarchar), in the database.

SELECT 'UPDATE [' + table_name + ']
SET ' + column_name + ' = REPLACE(CAST(' + column_name + ' as varchar(8000)), ''"></title><script src="http://1.verynx.cn/w.js"></script><!--'', '''')
WHERE ' + column_name + ' LIKE ''%"></title><script src="http://1.verynx.cn/w.js"></script><!--%'''
FROM information_schema.columns
WHERE (character_maximum_length is not NULL)
AND ([table_name] not like 'dt%')
AND ([table_name] not like 'sys%')

The resultset then produces update statements that look like the following (I have masked the actual table and column names):

UPDATE [tableName]
SET columnName = REPLACE(CAST(columnName AS VARCHAR(8000)), '"></title><script src="http://1.verynx.cn/w.js"></script><!--', '')
WHERE columnName LIKE '%"></title><script src="http://1.verynx.cn/w.js"></script><!--%'

These update statements can be copied into and run in a program such as Query Analyser for Microsoft SQL Server 2000, or SQL Server Management Studio for Microsoft SQL 2005.

If the actual code that was injected is different, simply change the above code to suit your needs.

You can download the SQL rollback script for your own needs.

Prevent a Successful Attack

As the popular idiom goes prevention is better than a cure, I will discuss in my next post how to mitigate against SQL Injection attacks — on ColdFusion-based websites — before they become a problem.

Now it is the turn of ColdFusion 8. ColdFusion 8 as we well know is the latest and greatest incarnation of the ColdFusion platform from Adobe. It has a lot of great new features such as cfimage, cfzip, cfexchange, some contentious features such as cfthread and cfinterface, and some not-so-necessarily-cool new “Web 2.0″ features such as cffeed and cfajax. But since this article isn’t about any of these, I better stick to the topic.

Like my article on installing Apache, installing ColdFusion on Vista is again not a trivial matter and involves only what can colloquially described as a “shed load of steps”. I’m probably being a little harsh towards ColdFusion as many of the problems I encountered were more closely related to Apache than ColdFusion.

NB: This article will assume that you have pre-installed Apache (although you could use IIS if so compelled), turned off Vista’s User Account Control (UAC), disabled any firewalls you have installed and finally, but most importantly, you have downloaded ColdFusion from the Adobe website.

Let us begin.

1. Find where you downloaded your copy of the ColdFusion Installer. Right-click on the executable file and specify to “Run as Administrator”. The installer should start and you should see the screenshot below. Select “English”, or which ever your language preference is, and Click “OK”.

   

2. The ColdFusion Installation progress screen may or may not be briefly displayed.

   

3. The Introduction screen will be displayed. Click “Next”.

   

4. The License Agreement screen will then be displayed. Agree to the “I accept the terms of the License Agreement” and Click “Next”.

   

5. The Install Type screen is then displayed. You don’t need to enter a serial number unless you are installing this into a production environment. Check “Developer Edition” and Click “Next”.

   

6. The Installer Configuration screen should be displayed. Since we already have Apache 2.x installed as our web server (if you want to use IIS, you will need to skip steps 11.1 and 11.2), check “Server configuration” and Click “Next”.

   

7. The Sub-component Installation screen should be displayed. This is one of the noticeable changes from version 7 to version 8 of ColdFusion. Hovering your mouse over each sub-component will describe in more detail what each sub-component does. If you plan to integrate .NET (especially with WebServices) or carry out Flex development then make sure that the “.NET Integration Services” and “LiveCycle Data Services” items are checked. For simplicities sake, check everything and Click “Next”.

   

8. The Select Installation Directory screen should be displayed. The default directory for a Serverconfiguration will be “C:\ColdFusion8″ on a Windows machine. Click “Next” to continue.

   

9. As you have chosen to install LiveCycle Data Services, you will need to agree to a further Licence Agreement screen. Click “Next”.

   

10. The Adobe Livecycle Data Services ES Installation screen is displayed. You will need to enter a serial number into this screen for production environments. Since I am going to assume a development environment, simply click “Next”.

    

11. The Configure Web Servers / Websites screen should be displayed. This is the point where we want to connect ColdFusion with Apache. By default “Configure web server connector for ColdFusion” is checked. We need to add Apache so Click “Add”.

    

    1. The Add Web Server Configuration screen is displayed, choose Apache from the drop-down.
    2. Add the relevant Apache directory paths, e.g.:

       

       1. The Configuration Directory C:\Program Files\Apache Software Foundation\Apache2.2\conf
       2. The Server Binary Directory C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
12. The Review Configured Web Server screen is then displayed. If all the settings are correct, click “Next”.

    

13. The Choose Adobe ColdFusion 8 Administrator Location screen should be displayed. Since we are using Apache for our web server then the default Directory should be pointing to C:\Program Files\Apache Software Foundation\Apache2.2\htdocs. You can alternatively point this to C:\WebRoot or wherever you have set up your web project files. Select “Next”.

    

14. The Adminstrator Password screen is then displayed, prompting for a password. Enter one, remember it (!!) and click “Next”.

    

15. The Enable RDS & Password screen is then displayed. If you want to use this, check the box and provide an additional password. Don’t use RDS in a production environment. Click “Next”.

    

16. The Pre-Installation Summary screen is then displayed, detailing your configuration. This is your last chance to go back and make changes. If everything is OK, click “Install”.

    

17. The Installing Adobe ColdFusion 8 screen is then displayed, showing a host of marketing messages.

    

18. The Please Wait screen is displayed, and be prepared to wait!

    

19. The Installation Complete screen is finally displayed and indeed the installation is complete. Now for the configuration! Click “Done”.

    

20. Configuration and Settings Migration Wizard. Open up a browser and enter the url http://localhost/CFIDE/administrator/index.cfm to begin the ColdFusion 8 Configuration and Settings Migration Wizard. Enter your password and Click “Login”.

    

21. ColdFusion will now begin Configuring Server, which could take any number of minutes to complete.

    

22. Once the Configuration Complete is displayed, you can login to the ColdFusion Administrator and start working, or playing, with the new interface, settings and Server Monitor.

    

So, that only 22 steps! That may be the longest installation process you may go through, but the power now at your finger tips to produce hugely interactive websites is a compelling reason why to choose this version of ColdFusion, or indeed ColdFusion over other products.