Every seasoned developer will know that protecting your website from a hacker is a top priority, whether for your own reputation or for maintaining your company’s reputation and log-term revenue prospects.

Why should you be worried about security?

The Web is changing many of the assumptions that people have historically made about computer security and publishing. As the Internet makes it possible for web servers to publish information to millions of users, it also makes it possible for computer hackers, crackers, criminals, vandals, and other “bad guys” to break into the very computers on which the web servers are running. Once subverted, web servers can be used by attackers as a launching point for conducting further attacks against users and organisations.

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time.

This blog post started on the premise of protecting your website from a SQL Injection Attack. However, it is also appropriate to discuss, at a relatively high level, how to secure your server architecture and applications.

Server-Level Security

• Separate web- and database-servers on to different physical machines.
• Secure the web- and database-servers with traditional techniques. Only authorised accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.
• Keep servers up-to-date with the latest patches and software releases.
• Minimise the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.
• Secure information in transit between servers. This may mean physically securing the network to prevent evesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.
• Secure the database server behind a firewall.

Application-Level Security

• Separate ColdFusion, the webserver and database server user accounts. They should never be under the same system account.
• Create a database user specifically for your ColdFusion datasource and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.
• Revoke privileges in the ColdFusion datasource definition to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.
• General settings in the ColdFusion Administrator:
  • Check the Disable access to internal ColdFusion Java components option.
  • Check the Enable Global Script Protection option.
  • Add a Missing Template Handler.
  • Add a Site-wide Error Handler.
  • Reduce the Maximum size of post data from 100MB.
  • Enable Timeout Requests, and set to 60 seconds or less.
  • Disable Robust Exception Handling on production servers.

Code-Level Security

• Application.cfc - Set the scriptProtect Application variable to true to enable application-wide cross-site script protection.
• CFQueryParam - This tag, importantly, verifies the data type of a query parameter and, for RDBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times.

  <cfquery name="qry" datasource="#APPLICATION.dsn#">
  SELECT column1, column2, column3
  FROM tableName
  WHERE column4 = <cfqueryparam value="#variable1#" cfsqltype="cf_sql_bit" />
  AND column5 LIKE <cfqueryparam value="%#variable2#%" cfsqltype="cf_sql_varchar" maxlength="200" />
  AND column6 IN (<cfqueryparam value="#variable3#" cfsqltype="cf_sql_integer" list="true" />)
  </cfquery>

  There are limitations to the use of the cfqueryparam tag. In ColdFusion 7 for example, you cannot use them in queries using the cachedWithin attribute. Similarly, they cannot be used in ORDER BY clauses, although the use of conditional logic should resolve the need for order by variables.

• Functions - As a rule of thumb, validate all the data being passed into a query prior to it being used. ColdFusion MX 7 saw the introduction of the isValid() function. This function tests whether a value meets a validation or data type rule and can be used to replace a large number of type-specific functions such as isArray(), isBinary(), isBoolean(), isDate(), isNumeric() and isSimpleValue() etc.
• Stored Procedures - I often favour the use of stored procedures over standard queries. Not only do they add an additional level of performance, they provide an additional level of security; ColdFusion does not do any raw processing of queries in the web code, it simply passes variables down the wire to the database server.

Additional Resources

• Web Security, Privacy and Commerce
• O’Reilly’s The Web Application Hacker’s Handbook
• Adobe’s whitepaper - ColdFusion 8 Developer Security Guidlines (PDF, 281k)
• Adobe’s whitepaper - ColdFusion 7 Developer Security Guidlines (PDF, 217k)
• Adobe DevNet - Learning Stored Procedure Basics in ColdFusion 8
• 0×000000 # The Hacker Webzine’s article on Attacking ColdFusion
• Three part series from Mark Kruger (ColdFusion Muse) - Part 1, Part 2, Part 3
• Brad Wood’s article on CFQueryParam is not just for security.

After installing ColdFusion 8 and Apache successfully you may still see an “HTTP 500 Internal Server Error” when navigating to a ColdFusion page. All is not lost, you simply need to configure, or check the configuration of Apache.

Apache requires very little post installation modification, but it is always good practice to check the httpd.conf file to ensure that the ColdFusion “install” scripts did what they were supposed to do.

If you haven’t confirmed that Apache is running, open your browser and point it to http://localhost/ (unless you specified a real URL during installation). You should see the Apache test page. If you see an error, review the Apache installation steps to make sure you followed all the steps correctly, and/or check your log files for more detailed errors.

Now we know Apache is running, but how about ColdFusion? Point your browser to the ColdFusion Administrator found commonly at http://localhost/CFIDE/administrator/index.cfm and see what happens. One of three possible failures could occur:

1. Your browser prompts you to save the .cfm file to your computer. There a couple of possible resolutions to this. Firstly restart the Apache service. If this does not resolve the issue you will need to check the httpd.conf file to ensure that the ColdFusion module is being loaded. The file can typically be found in the C:\Program Files\Apache Software Foundation\Apache2.2\conf\ directory.
   Make sure that the DirectoryIndex has a reference to the index.cfm file (i.e. the default file):Ensure that the LoadModule jrun_module "C:/ColdFusion8/runtime/lib/wsconfig/1/mod_jrun22.so" is also present:

   

   If you need to edit this file, restart the Apache service after you have saved the changes.

2. You get a message that the CFIDE folder cannot be found. This is more likely to be a problem with where you placed the ColdFusion application during install. The default location is in the Apache directory (C:\Program Files\Apache Software Foundation\Apache2.2\htdocs), so check in the http.conf file to ensure the DocumentRoot is pointing correctly. Alternatively, copy this folder to your localhost webroot (e.g. C:\WebRoot) ensuring that the DocumentRoot points to your webroot (see the yellow box in the second screen-shot).
3. You get another message which probably means that you need to reinstall ColdFusion, and/or Apache!

And that is it, you can start using ColdFusion and developing applications.