One benefit of the ColdFusion is that it allows hosting providers to house several ColdFusion applications on the same server. This capability comes with a number of inherent risks that come to light when several users have access to the same server. ColdFusion has many powerful features that can be used to control and manage the server, file system, and other network resources such as databases, and these features can be used maliciously unless access to them is not appropriately restricted. CFML-Based Risks ColdFusion's language is filled with feature-rich functions and tags capable of accessing the system's hard drive, Registry, and network resources. Improper or malicious use of many of these tags and functions by unauthorized developers (or hackers) could compromise the server, thereby compromising the data of other sites hosted on the same box. To mitigate this risk, ColdFusion enables server administrators to restrict developer access to several tags and functions. Table 10.1 shows the ColdFusion MX 7 tags and some of the risks associated with them. Table 10.2 shows the associated risks of ColdFusion MX 7 functions. Table 10.1. ColdFusion Tags and Their Associated RisksTAG | POTENTIAL RISK |
---|
CFCOLLECTION | Can be used to modify or delete collections | CFCONTENT | Can be used to download files outside of Web root | CFCOOKIE | Can be used to write cookies to client browsers | CFDIRECTORY | Can be used to delete, move, and otherwise affect files and directories | CFDOCUMENT | Can be used to create FlashPaper and PDF objects | CFEXECUTE | Can be used to execute arbitrary programs from the command line | CFFILE | Can be used to upload, delete, rename, or overwrite files | CFFTP | Allows users to transfer files between one machine and a remote FTP site | CFGRIDUPDATE | Can be used to update ODBC data sources from within CFGRID | CFHTTP | Can be used to perform GET and POST operations against external serversincluding file uploads, and form, query, and cookies posts | CFHTTPPARAM | Specifies the parameters to use for CFHTTP operations | CFINDEX | Can be used to modify Verity indexes | CFINSERT | Can be used to insert data into data sources | CFINVOKE | Can be used to instantiate components and Web services and call their methods | CFLDAP | Can be used to access LDAP servers | CFLOG | Can be used to mask evidence of an attempted hack | CFMAIL | Can be used to email files on the system | CFOBJECT | Can be used to create and access COM, component, Java, CORBA, and Web service objects | CFOBJECTCACHE | Can be used to clear all cache queries on the server | CFQUERY | Can be used to execute malicious SQL against databases | CFREGISTRY | Can be used to read and set Registry keys | CFREPORT | Can be used to execute ColdFusion and Crystal Reports report documents | CFSCHEDULE | Can be used to manipulate the ColdFusion scheduling engine | CFSEARCH | Can be used to search collections | CFSTOREDPROC | Can be used to execute stored procedures on databases | CFTRANSACTION | Can be used to erroneously commit or rollback database transactions | CFUPDATE | Can be used to update data in a data source |
Table 10.2. ColdFusion Functions and Their Associated RisksFUNCTION | POTENTIAL RISK |
---|
CreateObject | Can be used to create and access COM, component, Java, CORBA, and Web services objects | DirectoryExists | Can be used to inspect the file system to discover whether directories exist | ExpandPath | Can be used to resolve real pathnames | FileExists | Can be used to inspect the file system to discover whether a file exists | GetBaseTemplatePath | Can be used to determine the absolute path of an application's base page | GetdirectoryFromPath | Can be used to determine an absolute path | GetFileFromPath | Can be used to extract a filename from an absolute path | GetGatewayHelper | Can be used to access Java GatewayHelper objects | GetProfileString | Can be used to extract information from an initialization file | GetTempDirectory | Can be used to find the system's temp directory | GetTempFile | Can be used to create temporary files on the system | GetTemplatePath | Deprecated function; same risk as GetBaseTemplatePath | SendGatewayMessage | Can be used to send data across gateways | SetProfileString | Can be used to modify initialization files | ColdFusion administrators can restrict access to all the tags and functions listed in Tables 10.1 and 10.2. Tag and function restrictions are part of sandbox security, discussed in Chapter 9, "Creating Server Sandboxes." RDS-Based Risks Another risk inherent to shared hosting environments is securing the file system. ColdFusion RDS (Remote Development Service) is a powerful feature that lets users read and write to the file system, as well as work with system data sources. However, in a shared environment, it's unwise to allow developers of one application to have access to the files or databases for another application. One solution is to disallow (or disable) RDS access to the server and allow developers to access the server over FTP. This will require that hosting providers set up an FTP account for each application and specify its root as the application's Web root. NOTE Disabling RDS is not a full solution to securing a hosting environment. This must be accompanied by restricting tag usage, such as the <cfregistry>, <cffile>, and <cfdirectory> tags, all of which can be used to gain unauthorized access to resources on the server. Again, tag restrictions are a part of the server sandbox configuration. |