Inspiring

Answered

Q: Unauthorised access to coldfusion source cfm

Forum|Forum|15 years ago
May 3, 2011
5 replies
3524 views

From the point of view, of security, how easy it for a visitor to a website to get access to the actual coldfusion source code, residing in the .cfm pages, that make up a website ?

Are there any good practices to follow to help safeguard things, perhaps using includes and placing sensitive source code in those, located outside the public folder on the webserver ?

This topic has been closed for replies.

Correct answer Owainnorth

The main way people gain access to source code is by managing to upload a file they shouldn't have.

We've had countless customers with file uploaders that don't check MIME types of files, for example; perhaps simply that the file has a .jpg extension. Hacker uploads an ASP toolkit through your site, figures out the URL it's been uploaded to and pow, they can now browse all your source code and normally server.

With CF, it's FCKEditor that's the weak spot, as it's a flakey open-source piece of crap. There was a vuln found in it a couple of years ago which affected all CF servers if I remember correctly, and Adobe released a patch pretty sharpish.

Be *very* careful when letting people upload files to your website. That's how they'll getcha.

D

Dave Watts

Community Expert

In general, source code viewing vulnerabilities have nothing to do with CF, and everything to do with your web server. Currently, I don't think there are any known source code viewing vulnerabilities in IIS 7.x, IIS 6.x, or Apache 2.x. That doesn't mean there won't be any in the future.

To limit source code vulnerabilities, you can store code outside of the reach of the web server for everything other than the specific scripts that you reference directly via URL. For example, if you're using CFCs that get invoked by CFM pages that are themselves invoked directly from the browser, the CFM files might be vulnerable to a new source code viewing exploit, but the CFCs won't be - and that's where most of your program logic would presumably live. This could also include Application.cfc, which can be stored in a parent directory of the web root that presumably is itself not accessible through the web browser.

Alternatively - and this is a bit more complicated - you can separate the web server and the application server using either a reverse proxy (my preference) or distributed mode. This requires two physical machines, however.

Other than that, there really isn't a lot you can do other than ensure your web server is up to date.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Dave Watts, Eidolon LLC

S

Steve Sommers

Legend

There are books and entire courses on this topic. For souce code protection, using includes does very little to protect the code -- if a hacker were to gain unauthorized access to the public directory that contains the empty scripts with the various include tags, he/she can get to the code files being included. Now someone did mention putting xml files on a path under the public directory, this is common and it's done this way so anyone on the outside that has the filename can't simply type it in in the browser address bar and download it. XML files don't get processed like cfm files so this is a must.

I highly recommend www.owasp.org. They cover the various topics in this thread and much more. Hope this help. Good luck.

D

Dax_TrajeroAuthor

Inspiring

thank you, I'll check that link out

D

Dax_TrajeroAuthor

Inspiring

thanks guys, great advice

D

Dan_Bracuk

Inspiring

Not sure if it will work, but I once read a suggestion to set the permissions so that all .cfm files are executable only to everyone but you.

Owainnorth

Inspiring

Might work, but IIS or CF are normally in the Users group, which tends to have read permissions over everything.

Removing these permissions from your websites directory is generally not a bad idea.

A

Adam Cameron.

Inspiring

Think about what you're asking.

How would a visitor to the website get the CF source code?

--

Adam

D

Dax_TrajeroAuthor

Inspiring

With the recent hacks to Sony's Playstation network, it just set me thinking as to HOW this type of info could be gleaned.

Obviously in a browser HTTP request, the informaion is safeguarded, but I don't confess to being fully cogniscent with all the different ways the information could be retrieved. Is there anything I should guard against ?

For example a SQL injection can reveal database information. Is there anything along similar lines that can reveal coldfusion code ?

In addition, there's applications out there that can download websites and save them onto your hard drive - I take it that only works for .html code ?

OwainnorthCorrect answer

Inspiring

The main way people gain access to source code is by managing to upload a file they shouldn't have.

We've had countless customers with file uploaders that don't check MIME types of files, for example; perhaps simply that the file has a .jpg extension. Hacker uploads an ASP toolkit through your site, figures out the URL it's been uploaded to and pow, they can now browse all your source code and normally server.

With CF, it's FCKEditor that's the weak spot, as it's a flakey open-source piece of crap. There was a vuln found in it a couple of years ago which affected all CF servers if I remember correctly, and Adobe released a patch pretty sharpish.

Be *very* careful when letting people upload files to your website. That's how they'll getcha.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded