![Page 1: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/1.jpg)
Hardening ColdFusionPete Freitag, Foundeo Inc.
foundeo
![Page 2: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/2.jpg)
Who is Pete Freitag?
• Owner of Foundeo, Inc.
• Blog: petefreitag.com
• 10+ Years working with ColdFusion
![Page 3: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/3.jpg)
Agenda
• Installation Tips
• ColdFusion Administrator Settings
• Sandbox Security
• Hiding Version Information
• Overview of Web App Firewalls
foundeo
![Page 4: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/4.jpg)
Out of Scope
• Network, Operating System, or Web Server Security
• Writing Secure CFML
foundeo
![Page 5: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/5.jpg)
However...
• Before Installing ColdFusion...
• Make sure your OS and Web Server have been patched and updated with the latest security fixes.
• Make sure your server is behind a network firewall.
foundeo
![Page 6: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/6.jpg)
Installation Tips
• Choose a non-default installation path.
• Create a dedicated user account for ColdFusion to use.
• Don’t Install Components You Aren’t Using
• Choose a Strong Administrator Password
foundeo
![Page 7: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/7.jpg)
Installation Tips
• Make sure ColdFusion Administrator is only accessible via a restricted IP, such as 127.0.0.1
• Require SSL to connect to Administrator.
• Add Web Server Password (useful for auditing who changed what)
foundeo
![Page 8: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/8.jpg)
ColdFusion Administrator Settings
foundeo
![Page 9: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/9.jpg)
Server Settings
Default: 60 secondsRecommendation: 5-10 seconds
Why: DOS Mitigation
foundeo
![Page 10: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/10.jpg)
Server Settings
Default: UncheckedRecommendation: Checked
Why: Session Hijacking, increases entropy of session id
foundeo
![Page 11: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/11.jpg)
Server Settings
Default: UncheckedRecommendation: Checked
Why: Developers can monkey with server. May be used by frameworks or apis.
foundeo
![Page 12: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/12.jpg)
Server Settings
Default: Unchecked with “//”Recommendation: Checked with “//”
Why: JSON Hijacking
foundeo
![Page 13: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/13.jpg)
Server Settings
Default: Checked every 60 secondsRecommendation: Unchecked
Why: If attacker modifies config it won’t take effect until restart, otherwise you need to respond to attacks in less than 60 seconds.
foundeo
![Page 14: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/14.jpg)
Server Settings
Default: UncheckedRecommendation: Understand it
Why: This feature has a VERY LIMITED ability to protect you from Cross Site Scripting. Don’t let this setting give you a false sense of security. See my blog for explanation.
foundeo
![Page 15: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/15.jpg)
Server Settings
Default: /CFIDE/scripts/Recommendation: Something else
Why: Allows for CF Server Version Detection.
foundeo
![Page 16: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/16.jpg)
Server Settings
Default: EmptyRecommendation: Create custom handlers
Why: Information Disclosure. The default handlers disclose CF, and possibly other information. The missing template handler should match your server 404 handler. foundeo
![Page 17: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/17.jpg)
Request Size Limits
Default: 100mbRecommendation: 1-10mb
Why: DOS Mitigation. Most applications only need to upload small files, 100mb is generally too big. This limit can and should be setup on your web server as well.
foundeo
![Page 18: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/18.jpg)
Request Size Limits
Default: 4mbRecommendation: 1mb
Why: DOS Mitigation. For most applications amajority of requests will be under 1mb.
foundeo
![Page 19: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/19.jpg)
Request Size Limits
Default: 200mbRecommendation: 1-50mb
Why: DOS Mitigation. Limits the total number of queued requests. 200mb of Heap is almost half the default max heap size.
foundeo
![Page 20: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/20.jpg)
Client Variables
Default: RegistryRecommended: None
Why: DOS Mitigation.
foundeo
![Page 21: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/21.jpg)
Memory Variables
Default: UncheckedRecommended: Checked
Why: Session Hijacking. J2EE Sessions use a cookie that expires when the browser closes by default. The generated session id is also typically generated using a highly random algorithm. foundeo
![Page 22: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/22.jpg)
Memory Variables
Default: 2 daysRecommended: As low as possible
Why: Session Hijacking. The lower the session timeout, the smaller the window of opportunity for session hijacking is.
foundeo
![Page 23: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/23.jpg)
Datasources
Default: SELECT, INSERT, UPDATE, DELETE, Create, DROP, ALTER, GRANT, REVOKE, Stored Procedures
Recommendation: SELECT, INSERT, UPDATE, DELETEOr less
foundeo
![Page 24: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/24.jpg)
Datasources
Default: 30 secondsRecommendation: 5 seconds
Why: Ties up threads if database is down.
foundeo
![Page 25: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/25.jpg)
Datasources
•Each datasource should have its own username•DB User should have limited permissions.
foundeo
![Page 26: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/26.jpg)
Datasources
• Remove Example Datasources
foundeo
![Page 27: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/27.jpg)
Web Services
If you are using Web Services you can hide the endpoint, username, and password from the code.
foundeo
![Page 28: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/28.jpg)
Flex Integration
Default: CheckedRecommendation: Unchecked if not needed
Why: Anything you can turn off that is not in use should be turned off.
foundeo
![Page 29: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/29.jpg)
Debug Output Settings
Default: CheckedRecommendation: Unchecked
Why: Information Disclosure. You should NOT disclose paths, SQL, source code, etc. foundeo
![Page 30: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/30.jpg)
Debug Output Settings
Default: UncheckedRecommendation: Unchecked
Why: Information Disclosure
foundeo
![Page 31: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/31.jpg)
Logging Settings
Default: {cfroot}/logsRecommendation: Somewhere else
Why: Harder for an attacker to cover their tracks
foundeo
![Page 32: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/32.jpg)
Logging Settings
Default: 5000KB, 10Recommendation: Higher Values
Why: Should be high enough to make sure an attacker can’t cover their tracks. PCI or other standards may require you to keep logs for at least a year.
foundeo
![Page 33: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/33.jpg)
Logging Settings
Default: UncheckedRecommendation: Checked
Why: Lots of tools available to work with syslog
foundeo
![Page 34: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/34.jpg)
Security: Administrator
Default: Single Username & PasswordRecommendation: Separate user name and password
Why: Principal of least privilege.
foundeo
![Page 35: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/35.jpg)
User Manager
• Restrict Access to Parts Of Administrator
• Restrict Access to Admin API
• Restrict Access to sandbox settings
• Unfortunately the super user is always has the username “admin”, can’t change this.
foundeo
![Page 36: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/36.jpg)
Sandbox Security
• Restrict Access to:
• Tags
• Functions
• Datasources
• Network IP’s and Ports
• Filesystem Access
foundeo
![Page 37: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/37.jpg)
Sandbox Security
• Requested Template’s Security Policy Overrides any Included Templates
• Remove Execute Permission on directories that shouldn’t contain cfm’s (such as images, js, or css folders)
• /images/- (Recursive)
• /images/* (Folder Only)
foundeo
![Page 38: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/38.jpg)
Sandbox Security
• May need to edit jvm.config on enterprise / multiserver to enable it.
• You can also setup a sandbox on Standard Edition, however you can only have one sandbox for the entire server.
foundeo
![Page 39: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/39.jpg)
Hiding ColdFusion
• Why Hide It?
• To mitigate effectiveness of attacks that might target ColdFusion, or a specific version of ColdFusion.
foundeo
![Page 40: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/40.jpg)
Hiding ColdFusion
• Disable “Server” HTTP Header
• Discloses Version Numbers
• A Web Server Setting
foundeo
![Page 41: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/41.jpg)
Content Generating Tags
• Content Generating Tags May Disclose the ColdFusion Version
• Examples: cfform, cfchart, ajax tags, etc.
foundeo
![Page 42: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/42.jpg)
Disable Direct CFC Access
• Can be 404’d with a URL rewriting filter on the web server such as mod_rewrite, or ISAPI Rewrite.
• Or by removing CFCServlet from web.xml
• Also disables SOAP Web Services
foundeo
![Page 43: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/43.jpg)
Hiding ColdFusion
• CFM File Extensions
• Choose a file extension other than .cfm (configured in web.xml)
• Use mod_rewrite (Apache), or ISAPI Rewrite (IIS).
foundeo
![Page 44: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/44.jpg)
CFIDE
• Make Sure /CFIDE/* does not resolve.
• /CFIDE/administrator/ better not resolve publicly.
foundeo
![Page 45: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/45.jpg)
Web Application Firewalls
• Application Layer Firewall for HTTP
• Log, block, filter malicious requests
• Software or Hardware Based
• PCI DSS 6.6
• Commonly called a “WAF”
foundeo
![Page 46: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/46.jpg)
Foundeo Web App Firewall for ColdFusion• Commercial Product
• Software Based - written in CFML
• Works on most Shared Hosts
• Works on CF6+, Railo 3+, OpenBD 1+
• CFC API for custom filters and loggers
• http://foundeo.com/security/
![Page 47: Hardening ColdFusion• Requested Template’s Security Policy Overrides any Included Templates • Remove Execute Permission on directories that shouldn’t contain cfm’s (such](https://reader034.vdocuments.us/reader034/viewer/2022052100/603a8dbd3e5cc21c9827b9ce/html5/thumbnails/47.jpg)
Summary
• Eliminate Defaults
• Remove / Disable things that are not used.
• Use the minimum amount of privilege possible.
• Tradeoffs
• Security vs. Performance
• Security vs. Usability
foundeo