ColdFusion and Security: Part 1 – Intro

This is the first in a series of articles I plan to write on the subject of ColdFusion and Security. The series will cover topics including server configuration, application security and encryption. Part 1, this article, will introduce the subject and reflect on why I’m interested in the topic, as well as why security in a ColdFusion-based environment is an important issue.

Having worked both as a developer and as an IT security advisor, application and server security is one of my pet subjects. Back in the day, most of the ColdFusion developers I knew had little or no idea about securing their applications, let alone the ColdFusion server software or web server software they were using. Most of the time, these developers were also responsible for securing the production servers their applications were deployed on, as the security folks they dealt with knew next to nothing about ColdFusion. Does this sound familiar?
Continue reading “ColdFusion and Security: Part 1 – Intro”

Mapping CFIDE is a security risk

I’ve been playing a little with the <cfcalendar> tag in an app I’m working on. It seems that for the Flash to be usable, you need a /CFIDE mapping on your server. Which is all well and good, except that on a production-level server, you’re a certifiable nutjob if you have a live /CFIDE, as it opens up access to the CF Administrator. If you need access to the CF Administrator, and therefore to /CFIDE, it should be on a separate virtual server which:

  • responds on a different, preferably non-routable, IP address
  • is mapped on a non-standard TCP port
  • is turned off unless you are actually changing the CF server settings right now

Now, unless there’s a way to shut off CF Administrator access (short of deleting the administrator directory or IP-limiting it) that I don’t know about (and I’m happy to be proved wrong), having to map /CFIDE on your servers is a significant security risk. It’s certainly not one I’d be prepared to take.

This issue has been mentioned in a number of TechNotes (1, 2) and articles (1, 2 – the second is particularly good and very thorough) at Macromedia, but I’m not reassured that most people setting up ColdFusion servers will read these and take the right action. To my mind, it would be better to have another external directory containing all these assets (Flash tools, Java applets, etc.) which a developer might drop into their app. Keep that directory well away from the /CFIDE.