Why should you be worried about security?

The Web is changing many of the assumptions that people have historically made about computer security and publishing. As the Internet makes it possible for web servers to publish information to millions of users, it also makes it possible for computer hackers, crackers, criminals, vandals, and other “bad guys” to break into the very computers on which the web servers are running. Once subverted, web servers can be used by attackers as a launching point for conducting further attacks against users and organisations.

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time.

This blog post started on the premise of protecting your website from a SQL Injection Attack. However, it is also appropriate to discuss, at a relatively high level, how to secure your server architecture and applications.

Server-Level Security

• Separate web- and database-servers on to different physical machines.
• Secure the web- and database-servers with traditional techniques. Only authorised accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.
• Keep servers up-to-date with the latest patches and software releases.
• Minimise the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.
• Secure information in transit between servers. This may mean physically securing the network to prevent evesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.
• Secure the database server behind a firewall.

Application-Level Security

• Separate ColdFusion, the webserver and database server user accounts. They should never be under the same system account.
• Create a database user specifically for your ColdFusion datasource and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.
• Revoke privileges in the ColdFusion datasource definition to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.
• General settings in the ColdFusion Administrator:
  • Check the Disable access to internal ColdFusion Java components option.
  • Check the Enable Global Script Protection option.
  • Add a Missing Template Handler.
  • Add a Site-wide Error Handler.
  • Reduce the Maximum size of post data from 100MB.
  • Enable Timeout Requests, and set to 60 seconds or less.
  • Disable Robust Exception Handling on production servers.

Code-Level Security

• Application.cfc – Set the scriptProtect Application variable to true to enable application-wide cross-site script protection.
• CFQueryParam – This tag, importantly, verifies the data type of a query parameter and, for RDBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times.

  <cfquery name="qry" datasource="#APPLICATION.dsn#">
  SELECT column1, column2, column3
  FROM tableName
  WHERE column4 = <cfqueryparam value="#variable1#" cfsqltype="cf_sql_bit" />
  AND column5 LIKE <cfqueryparam value="%#variable2#%" cfsqltype="cf_sql_varchar" maxlength="200" />
  AND column6 IN (<cfqueryparam value="#variable3#" cfsqltype="cf_sql_integer" list="true" />)
  </cfquery>

  There are limitations to the use of the cfqueryparam tag. In ColdFusion 7 for example, you cannot use them in queries using the cachedWithin attribute. Similarly, they cannot be used in ORDER BY clauses, although the use of conditional logic should resolve the need for order by variables.

• Functions – As a rule of thumb, validate all the data being passed into a query prior to it being used. ColdFusion MX 7 saw the introduction of the isValid() function. This function tests whether a value meets a validation or data type rule and can be used to replace a large number of type-specific functions such as isArray(), isBinary(), isBoolean(), isDate(), isNumeric() and isSimpleValue() etc.
• Stored Procedures – I often favour the use of stored procedures over standard queries. Not only do they add an additional level of performance, they provide an additional level of security; ColdFusion does not do any raw processing of queries in the web code, it simply passes variables down the wire to the database server.

Additional Resources

• Web Security, Privacy and Commerce
• O’Reilly’s The Web Application Hacker’s Handbook
• Adobe’s whitepaper – ColdFusion 8 Developer Security Guidlines (PDF, 281k)
• Adobe’s whitepaper – ColdFusion 7 Developer Security Guidlines (PDF, 217k)
• Adobe DevNet – Learning Stored Procedure Basics in ColdFusion 8
• 0×000000 # The Hacker Webzine’s article on Attacking ColdFusion
• Three part series from Mark Kruger (ColdFusion Muse) – Part 1, Part 2, Part 3
• Brad Wood’s article on CFQueryParam is not just for security.

An assignment operator assigns a value to its left operand based on the value of its right operand.

The basic assignment operator is equal (=), which assigns the value of its right operand to its left operand. That is, x = y assigns the value of y to x. The other assignment operators are usually shorthand for standard operations, as shown in the following table.

In unusual situations, the assignment operator is not identical to the Meaning expression in the above table. When the left operand of an assignment operator itself contains an assignment operator, the left operand is evaluated only once. For example:

<cfscript>
a[i++] += 5 //i is evaluated only once
a[i++] = a[i++] + 5 //i is evaluated twice
</cfscript>

In the following series of posts, I will introduce the changes and show some simple examples. The first in the series is Arithmetic Operators.

Arithmetic operators take numerical values (either literals or variables) as their operands and return a single numerical value. The standard arithmetic operators are addition (+), subtraction (-), multiplication (*), and division (/). These haven’t changed from ColdFusion version 7 to 8.

A key change comes with the use of Unary Operators. The unary operators require only one operand; they perform various operations such as incrementing/decrementing a value by one, negating an expression, or inverting the value of a boolean.

These operators work as they do in most other programming languages.

% (Modulus)

The modulus operator is used as follows:

var1 % var2

The modulus operator returns the first operand modulo the second operand, that is, var1 modulo var2, in the preceding statement, where var1 and var2 are variables. The modulo function is the integer remainder of dividing var1 by var2. For example, 12 % 5 returns 2.

In ColdFusion this is written:

<cfif myQuery.currentRow % 2></cfif>

A good use of the modulus operator would be to alternate row colours in tabular data. The above code could be wrapped around a CSS class, dynamically changing the name of the class on each row iteration.

++ (Increment)

The increment operator is used as follows:

var++ or ++var

This operator increments (adds one to) its operand and returns a value. If used postfix, with operator after operand (for example, x++), then it returns the value before incrementing. If used prefix with operator before operand (for example, ++x), then it returns the value after incrementing.

For example, if x is 10, then the statement y = x++ sets y to 10 and increments x to 11. If x is 10, then the statement y = ++x increments x to 11 and sets y to 11.

In ColdFusion, a simple example:

<cfset x = 10 />
<cfset y = x++ />
 
<cfdump var="#variables#" label="Increment Operator Test 1" />

The above code returns:

Switching the order of the operator to be before the variable:

<cfset x = 10 />
<cfset y = ++x />
 
<cfdump var="#variables#" label="Increment Operator Test 2" />

The above code returns; note that both variables return 11:

-- (Decrement)

The decrement operator is used as follows:

var-- or --var

This operator decrements (subtracts one from) its operand and returns a value. If used postfix (for example, x–), then it returns the value before decrementing. If used prefix (for example, –x), then it returns the value after decrementing.

For example, if x is three, then the statement y = x– sets y to 3 and decrements x to 2. If x is 3, then the statement y = –x decrements x to 2 and sets y to 2.

In ColdFusion, a slightly more complex example:

<cfscript>
//decrement the variable y
for(y=5; y > 0; y--)
{
	writeOutput(y);
}
//returns 54321
</cfscript>

The above code loops from 5 to 1, decrementing the value of y by 1 on each iteration. The returned output is therefore 54321.

We could now combine the increment and decrement operators to do even more complex operations. E.g.:

<cfscript>
//create a new array
arrTemp = arrayNew(1);
//create a new variable for the array counter
x = 1;
//loop y, decrement the variable y
for(y=5; y > 0; y--)
{
	arrTemp[x++] = y;
}
</cfscript>
 
<cfdump var="#arrTemp#" label="Combined Increment Decrement Operator Test" />

The above code loops from 5 to 1, decrementing the value of y by 1 on each iteration. At the same time, the value of x increments by 1 on each iteration and is used to define the array index, i.e. arrTemp[1].

The returned output can be displayed as follows:

Such code serves to demonstrate how you can set up complex operations without the need to use the following, antiquated operations:

<cfset x = incrementValue(x) />
<cfset y = y+1 />
<cfset a = decrementValue(a) />
<cfset b = b-1 />

- (Unary Negation)

The unary negation operator precedes its operand and negates it. For example, y = -x negates the value of x and assigns that to y; that is, if x were 3, y would get the value -3 and x would retain the value 3. This is not new to ColdFusion 8, but it is worth a mention.

In ColdFusion, this can be shown by the following:

<cfset x = 3 />
<cfset y = -x />
 
<cfdump var="#variables#" label="Unary Operator Test" />

The above code returns: