CF8, Flex 3, and Universe: Security question

Report · Sep 06, 2011

I just came on board with an organization that maintains an app built on ColdFusion 8, Flex 3, and Universe 10.2

I'm also coming up to speed in CF/Flex development, transitioning from .NET/C#.

In .NET/C# there were a number of things you could do to prevent certain types of vulnerabilities in your code, one of them was guarding against SQL injection attacks. I know that UniVerse isn't a SQL native database, so it's not directly susceptible to SQL injection. What I'm trying to discover is if it's vulnerable to this style of attack and how to mitigate any possible vulnerability.

At the moment, the company isn't planning on upgrading, replacing, or migrating the code to other technologies so I'll be stuck with the CF8, flex 3, and Universe.

Thanks all,

Les

Report · Sep 06, 2011

I'd say the absolute majority of attacks on ColdFusion websites are to do with people doing one of two things:

1 - Not using cfqueryparam to parameterise SQL queries. Never do this:

SELECT * FROM table WHERE id = #form.id#

</cfquery>

Instead *always* do this:

SELECT * FROM table WHERE id = <cfqueryparam cfsqltype="cf_sql_numeric" value="#form.id#" />

</cfquery>

Which is exactly the same as using the SqlCommand.Parameters collection in .NET.

2 - Not cleaning user input, or not using htmlEditFormat() when displaying code from user input. Unless you're positive someone hasn't put a <script> tag into their input, don't do this:

<cfoutput>#user.getForename()#</cfoutput>

Doing this will turn any < or > symbols into their > or < HTML equivalents:

<cfoutput>#htmlEditFormat(user.getForename())#</cfoutput>

I'd say implementing both of those will cover you for the vast majority of attacks, which tend to be rare on ColdFusion sites anyway. Also I personally avoid using any ColdFusion-specific poncy stuff like CFFORMs, instead opting for basic HTML elements where possible. There was a major vuln discovered a few years ago in the FCKEditor code which is bundled into ColdFusion. Don't use the tags, and it's not a problem.

I'm sure people will have other ideas, but parameterising your code is 99% of your work done unless you're letting people upload files to your site, in which case you have all the risks associated with that.

HTH.

O.

Report · Sep 06, 2011

The htmleditformat function has a major drawback. If users are entering data with a rich text textarea, which Coldfusion has, the htmleditformat function will transpose tags like <strong>, <p>, etc when you display it. Probably not what you had in mind.

www.cfib.org is a source of free user defined functions for Coldfusion users. One function, safetext, alters nefarious tags such as script, frame, applet, etc, but preserves the benign ones such as paragraph, ordered list, etc.

Report · Sep 07, 2011

Excellent! That's the kind of stuff I'm looking for.