ࡱ> U@ E_bjbj .VKHpqpqpq8qLrHڑ2rs: t t t t t tY[[[[[[$ R^u t tuu t tօօօuB  t tYօuYօօVÍ@ tr !$ _pq 5$0ڑx.؄.&:F.͏h tZft@օt4t t t tHH7 ;d6.HH ; Written for OWASP  HYPERLINK "http://www.owasp.org" www.owasp.org Taco Fleur ColdFusion security tips  HYPERLINK "mailto:taco.fleur@clickfind.com.au" taco.fleur@clickfind.com.au  HYPERLINK "http://www.clickfind.com.au" http://www.clickfind.com.au (sponsor of this article) Wednesday, 23 January 2008 About the author Taco Fleur is a ColdFusion programmer with approx. 10 years of ColdFusion experience, and is a full supporter of the product. He is currently working for  HYPERLINK "http://www.clickfind.com.au" www.clickfind.com.au the Australian  HYPERLINK "http://www.clickfind.com.au" business directory/search engine. Introduction Over the years  HYPERLINK "http://www.adobe.com/products/coldfusion/" ColdFusion has sometimes received a bad name for its security, I truly believe this was due to ColdFusion being such an easy language to pick up and work with. This meant that web designers with no formal programming education could program applications easily and quickly, the downside of that was that some of these applications would be easy to break/hack due to the lack of security knowledge that would have come with a programming degree. Following are some security tips which I hope will help novices to make ColdFusion applications more secure. And dont forget, dont stop with these security tips, they are not meant to be the ultimate protection for your site. Ive taken every care possible to be accurate and provide easy to follow examples, if you find any errors, spelling or grammar mistakes, it would be much appreciated if you could let me know on  HYPERLINK "mailto:taco.fleur@clickfind.com.au" taco.fleur@clickfind.com.au Please note: this document is currently a work in progress Index SQL Injection Database Logins Logging XSS (Cross Site Scripting) Cookie Hijacking Proper Error Handling Input Validation Securing Protected Areas Forms being submitted outside of your domain Automated data mining SQL Injection What is SQL injection? SQL Injection is the injection of a malicious SQL statement by a hacker. It transforms your normally safe SQL statement to one that could delete records, drop tables, and much more depending on the rights the user on the ODBC connection has. Lets go to a simple example; SELECT myColumn FROM myTable WHERE myIdentity = #url.myIdentity# The above query would get a record from your database based upon the value of url.myIdentity. You could trust the input to always be an integer like; 1,2,3,4,5 101 etc. but what if someone modified the URL value (which is not hard to do) to 1; DELETE+FROM+myTable Your previously safe SQL statement would then be injected with DELETE FROM myTable and turn into; SELECT myColumn FROM myTable WHERE myIdentity = 1; DELETE FROM myTable When the above SQL statement reaches your database it would first execute SELECT myColumn FROM myTable WHERE myIdentity = 1 and then it would execute DELETE FROM myTable which would delete all records from you table. This is just the tip of the iceberg! Solution You should never trust input from a user, and always validate it, well talk more about that later. There are two solutions, and you should probably use both at the same time. The first is to use SELECT myColumn FROM myTable WHERE myIdentity = The cfqueryparam tag would check if the value of #url.myIdentity# is actually an integer, as is expected, and if not, it will throw an error. This will prevent the SQL statement from ever reaching the database. The second step is to convert numeric characters that occur at the beginning of a string to a number with the ColdFusion function val(). url.myIdentity = val( url.myIdentity ); Which would turn the URL value 1;DELETE+FROM+myTable into 1, thus removing the malicious code, and the query doesnt throw an error. You could and probably should use Regular Expression to sanitize the input, but Im trying to keep this document simple. Database Logins It is highly recommended to always allow the minimum rights to a database login. After you have created your database you should create separate logins for several areas and functions. The type of access and functions depends on your database platform, but lets take a look at the obvious ones. If parts of your application only SELECTS records from the database, then the only access rights to the login should obviously be SELECT rights. That login should not have access to DELETE, DROP and any others that are not required. Lets take for example  HYPERLINK "http://www.clickfind.com.au" www.clickfind.com.au, the search functionality only requires the login to have access to SELECT, so we could have created a user called user_frontend and only assign rights to use SELECT to it. This would mean the login would never be able to execute any DROP, INSERT, GRANT or other statements. To do this you can use your database admin interface, or you can use the ColdFusion administrator and go to Data Sources > Select Data Source > click Show Advanced Settings > and tick the appropriate SQL this login is allowed to execute. Obviously you would need to modify the rights based on the access required, but always keep it to the bare minimum. Logging Logging is mostly overlooked as playing an important part in securing an application; in reality it plays a very important part in security. Without proper logging you might never get to know that someone is executing an automated password attack on your website, trying to find administrator areas, or other holes in your application. To log 404 errors you should setup a custom error in your web server. This varies from web server to web server. In IIS you can follow the following steps; Navigate to the website in question under IIS Right click the website and select Properties Click the Home directory tab Click on Configuration Double click the ColdFusion file extension .cfm Check the box Verify that file exists Do this for all ColdFusion file extensions Do the same under wildcard application maps Click OK when done Click the Custom errors tab Scroll down to the 404 error and double click it Change message type to URL Enter /404.cfm And click OK to get out of all the screens Now we need to create a ColdFusion page that will log all 404 errors to a database and email them. You might think that emailing will fill up your email box, but realistically, your application should not have any 404 errors at all, and therefore you would only be notified about a 404 when someone is trying to do things they are not supposed to, or someone followed an outdated link, in which case you would want to make sure that link get updated. The ColdFusion page would look something like the following;

404 Error on clickfind.com.au

Script name: #cgi.script_name#
Query: #cgi.query_String#
Referer: #cgi.http_referer#
Date Time: #lsDateFormat( now() )# #lsTimeFormat( now() )#
Remote Address: #cgi.remote_addr#
Reverse DNS: #request.rDNS#

INSERT INTO [error404] ( [url] , [ipAddress] , [reverseDNS] , [userAgent] , [cookie] ) VALUES ( , , , , ) 404 Error

Some text here explaining to the user that they followed an outdated link, and maybe some links to other actions they might want to perform

We always want to adhere to the Internet rules, and make sure the search engines find a 404 error when they request an outdated link, which is why we return a 404 error in the header with the tag. Then we email the error to support @ your domain. Id like to note that request.rDNS is not a native function of ColdFusion. Getting the reverse DNS gives you more information about the individual who requested the 404, I believe its an important piece of information to include, however it requires some custom written classes, which would be to detailed for this article. Please see  HYPERLINK "http://www.google.com.au/search?hl=en&q=coldfusion+reverse+dns&meta" http://www.google.com.au/search?hl=en&q=coldfusion+reverse+dns&meta= for any resources on reverse DNS in ColdFusion. And finally, we log the 404 error in the database. If you want to go further and gain more protection, you could log the requests in the application scope and start checking whether more than 60 x 404 requests have been made in a time period of one minute, as that would mean 1 request per each second, and you can be assured that would be an automated attack. Based on this information you could prevent further access to the site. XSS (Cross Site Scripting) Cookie Hijacking I have to say that the jury is still out on the following functionality I came up with. I am pretty sure it protects or at least makes a malicious users life more miserable. But I cant say for sure whether it is fool proof, Ive been told and I know that an IP can be spoofed, but I do believe that no data can be received back by the user making the request with a hijacked cookie. If you have any other information or thoughts about this solution, please do let me know on  HYPERLINK "mailto:taco.fleur@clickfind.com.au" taco.fleur@clickfind.com.au In your application file you would set a cookie, you would put this in the onSessionStart or alternatively you would it in the application.cfm and first check if it exists or not. Upon each request you would verify the cookie with This should only work with browser cookies, i.e. the ones that get removed when the browser closes. If this was a persistent cookie it would not work. Once again, this is still experimental, come to think about it, I probably should not have included it here yet, but I might as well and get some feedback on it. Proper Error Handling You might ask yourself Why worry about error handling?, but have you had a proper look at the information that is displayed when a ColdFusion error is thrown? It could give malicious users information like; configuration, the physical location of the application, datasource name, database tables, and maybe even usernames and passwords plus much more information that is very valuable to someone trying to do harm. On a production machine you should prevent any debugging from being displayed, and to save resources you should probably turn any type of debugging completely off through the ColdFusion administrator panel. Use an Error handler in your application that catches all errors, notifies you of the error, logs the error and displays a nice message to the user instead of a white page with stuff they cannot understand. Try and keep the message as simple as possible, on  HYPERLINK "http://www.clickfind.com.au" www.clickfind.com.au we try and make it a little fun, and the heading of our page is Oops!

Oops, there was a problem!

The problem could be caused by a network, database, programming (we're only human) or connection problem, you could try again to see if the problem is solved.

The technical team (support@clickfind.com.au) has been notified of the problem and will work on fixing this issue as soon as possible.

A reference number for this problem is [reference number here]

Additional information

Following is some additional information that might be helpful.

You are signed in as #session.User.getScreenName()#

You are not signed in.

You do not have JavaScript enabled.

You accept cookies.

You do not accept cookies, you should know that this site requires cookies to be enabled.

Your IP address is #cgi.remote_addr#

Your reverse DNS is #request.reverseDNS()#

The above information gives the user confidence that the error is being looked at, and the information displayed would help you debug the error if you were speaking to the client on the phone. It might be that they do not have cookies or JavaScript enabled, the output above would give you that information. Following will give you some idea on how to setup error handlers in your application. If you are on ColdFusion MX7 or higher you would use the onError event handler in the application.cfc Note that the output is set to true, because you will be displaying HTML to the user upon an error. Between the function tags you would have a cfmail to notify you of the error and email any information about the error itself. You would also include the HTML to display to the user with the friendly error message. And last but not least, make sure we are adhering to the internet rules and return a 500 status error. In ColdFusion MX6 you would be using the tag to include an error template that performs the same actions described above. Input Validation You cannot rely on your users to always understand what they need to enter in your form fields, sometimes they make a mistake, dont understand or are trying to break your system and enter characters that you would not be expecting. For example, you are expecting a date in your field like 05/11/72 but someone writes 5 Nov 1972, or a malicious user inputs my name in a first name field. Perform client side validation with JavaScript should only be considered a nice feature to make life easier for your users, it should never be seen as a final solution for data validation. JavaScript can be turned off in the browser and bypassed with ease. ColdFusion Server-side validation is the only way to really be sure that you are able to validate the data. What can happen if you dont validate your data? You can end up with a messy database full of information that is worth nothing, it can crash your application, or worse, a malicious user could insert nasty tags that could grab peoples cookies and they could hijack their session. ColdFusion now has some great tags that can handle the validation for you, but Ive stuck with the old school and like to have full control with Regular Expressions. If you are expecting an integer you can use the ColdFusion function val() When you expect alphanumeric characters and spaces only, you could use the following regular expression The above basically means; replace everything BUT characters from A to Z, numbers from 0 to 9 and a space. You can get pretty fancy with Regular Expressions and also start checking the format of a string etc. Securing Protected Areas Securing a protected area might sound easy to do, but here are some other things to consider; have your username and password posted to a page under SSL hash passwords in the database so that even if the database is compromised, no passwords can be retrieved, this also protects the passwords against snooping employees destroy all session variables upon sign out use a session time-out log all sign in events and deny access to someone when they have many unsuccessful sign in attempts SSL To make sure the page you post the username and password for sing in to is under SSL you can put the following ColdFusion code on the page that accepts the sign in details. The above code would redirect the user to an SSL page. Hashed passwords When you work with hashed passwords, youll need to start with inserting a hashed version of the password chosen by the user. When the user signs up and picks a password you would use the following code to create a hash of the password and insert it into the database; variables.hashedPassword = hash( form.password & "stringonlyknownbyme" ); Someone who chose the password test will end up with the following hash in the database 79D2F01DE1937C0D6D9608C7026DD8FA After you stored the hash, you never have to deal with the real password again. To check if the user entered the right password when trying to sign in, you would use the following ColdFusion code. variables.hashedPassword = hash( getPassword() & application.seed ); SELECT myIdentity , username , password FROM tbl_user WHERE ( username = ) AND ( password = ) if ( rsLoginCheck.recordCount neq 0 and rsLoginCheck.username is form.username and rsLoginCheck.password is variables.hashedPassword ) { // handle logic here to do whatever needs to be done for a successful sign in } else { errorMessage = "oops! Those aren’t the right sign in details. Please try again"; } Destroy session variables To destroy all session variables set during the session you would use the following code; structDelete( session, "user" ); Replace user with the session variable youve set. Session time-out Use a session time out thats not to high, 20 or 30 minutes will usually do. Setting the time-out high will not only consume unnecessary resources on the server, but it also give malicious users more time to try and gain access to a session that has not been destroyed. Form being submitted outside of your domain It is very easy for a malicious user to write a script that submits form values to your website. They might do this to submit SPAM, create fake accounts or plenty of other reasons. You can prevent this from happening, or at least make things more difficult by checking for a referrer in the headers, you do this as following; We use a Regular Expression here, because if you would use contains, the malicious user might be smart enough to put your domain in the referrer through a query string. The malicious user could create a link on their site with the following string in the URL ?somedomain=http:://www.yourdomain.com and when clicked it would activate the script. Obviously the referrer would contain your domain, but would not be at the start of the string, which is what the Regular Expression checks for. Automated data mining Someone data mining your site could cost you bandwidth, crash your application, and possibly your reputation if they post the information elsewhere. One way to make life harder for someone trying to data mine your site, is by hashing the identities of the records you are hosting. Lets say you have a website that displays classifieds, and you want to make sure that no one can easily data mine the classifieds. Lets say a URL to display a classified is  HYPERLINK "http://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20" http://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20 It would be easy to write a cfloop from 1 to 100000 and make a cfhttp request in between and then use cffile to write the content to disk. Perform any actions on the data later. An easy way to prevent this would be to use a hash of the classifiedIdentity, turning your URL into  HYPERLINK "http://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20&hash=2924E8B24402E85105533CF97CD24BF9" http://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20&hash=2924E8B24402E85105533CF97CD24BF9 In your classified.cfm page you would implement the following code to check the hash There are obviously many more ways to prevent automated data mining, the above is just one example.  AUTHOR Taco Fleur Page  PAGE 1  DATE \@ "d/MM/yyyy" 25/01/2008 789FGHIJTUVnoqr C D E F W  »xgx!jhhmOJQJU^JhhmOJQJ^J hhmjhUh\ h0JjhUjhUhz"h'B hh hhi&h\ hi&0Jjhi&Uhi&jhi&UhhCJ(aJ(h%UCJ(aJ(h'IJUVopq$ % & ' B C D E W !!!t!!!!!!!!!!!!!!!!gdmgdmgd)$a$gdgd$a$gdi&$a$gd^D_   1 2 B C l m n ھ˭t_N6_/jhh)CJOJQJU^JaJ hh)CJOJQJ^JaJ)jhh)CJOJQJU^JaJ hhmCJOJQJ^JaJ hhm'jphh)OJQJU^Jhh)OJQJ^J!jhh)OJQJU^JhhmOJQJ^Jhhm0JOJQJ^J!jhhmOJQJU^J'jhhmOJQJU^J |  PQǶǶǥǥr]E]/jhhPCJOJQJU^JaJ)jhhPCJOJQJU^JaJ hh~CJOJQJ^JaJ hhnCJOJQJ^JaJ hhPCJOJQJ^JaJ hh'BCJOJQJ^JaJ hhZ]aCJOJQJ^JaJ hhmCJOJQJ^JaJ)jhh)CJOJQJU^JaJ$hhm0JCJOJQJ^JaJ  &7M^wgd'Bgd'B & Fgd>w3 & Fgd'Bgd) >?DESTghqrvwviv\OiiiiiEh'BOJQJ^Jhh>w3OJQJ^Jhh:OJQJ^Jhh;cOJQJ^JhhJ!OJQJ^Jhh'BOJQJ^JhhnOJQJ^J hhn$h-h-5B* OJQJ^Jphh-OJQJ^JhPOJQJ^JhhPOJQJ^J)jhhPCJOJQJU^JaJ$hhP0JCJOJQJ^JaJwx~|)ZrrrddrS hhvCJOJQJ^JaJhb27CJOJQJ^JaJ)hb27hJ!B*CJOJQJ^JaJph hhJ!CJOJQJ^JaJ hh'BCJOJQJ^JaJ hh:CJOJQJ^JaJ hh'B hh~hh'BOJQJ^JhheOJQJ^JheOJQJ^JheOJQJ^Jh9pOJQJ^J.?Ns~ &7Fq|}gdJ!Z[:;^_i{wxBCgd UgdvgdvgdJ!_vwx#۵۵xgVgVAV)jhh}CJOJQJU^JaJ hh}CJOJQJ^JaJ hh;cCJOJQJ^JaJ hh;c hh~hh;cOJQJ^Jhh UOJQJ^J)hb27h UB*CJOJQJ^JaJph hh UCJOJQJ^JaJ)hb27hvB*CJOJQJ^JaJph hhvCJOJQJ^JaJ hhvhhvOJQJ^JCNO=> ) B  & Fgdgd>w3gd;cgd;cgdJ!#$%9:MN>ҿҮ{naTMF5 hh>w3CJOJQJ^JaJ hh>w3 hh~hh>w3OJQJ^JhhJ!OJQJ^Jhh;cOJQJ^J hh;cCJOJQJ^JaJ hh~CJOJQJ^JaJ hh}CJOJQJ^JaJ hhJCJOJQJ^JaJ$hh}0JCJOJQJ^JaJ)jhh}CJOJQJU^JaJ/jhh}CJOJQJU^JaJ%!U!V!q!!!o##)))))***********+++*,ͼͼޚtމfffffffU hhb27CJOJQJ^JaJhb27CJOJQJ^JaJ)hb27h@B*CJOJQJ^JaJph hh@CJOJQJ^JaJ hhB2CJOJQJ^JaJ hh{'CJOJQJ^JaJ hhBO+CJOJQJ^JaJ hhCJOJQJ^JaJ hh>w3CJOJQJ^JaJ hhCJOJQJ^JaJ B s !%!V!q!!!!o#p#######$0$F$T$h$$$gd@gdJ! & Fgd{' & Fgd$$$$$$#%f%%%%%%%%&&-&A&T&d&k&x&&&&&':'P'gd@P'n'''''($(F(M(X(((( )#)+)2)))))**,,...gdJ!gd@*,+,|,},~,,,--......../0!0W0X0Y0٠ٓxxgYKYKY=hmCJOJQJ^JaJh;jCJOJQJ^JaJhCJOJQJ^JaJ hhCJOJQJ^JaJ hhm hh~hhmOJQJ^Jhh@OJQJ^Jhb27CJOJQJ^JaJ$hh@0JCJOJQJ^JaJ/jhh@CJOJQJU^JaJ hh@CJOJQJ^JaJ)jhh@CJOJQJU^JaJ......Y0Z011111 2)2*2]222220414H45566gd-gdmgd/gdmY0000001111111(2)2\2]2222seP>P#hsgB*CJOJQJ^JaJph)hsghsgB*CJOJQJ^JaJphhsgCJOJQJ^JaJ h-h-CJOJQJ^JaJ)hch-B*CJOJQJ^JaJphhcCJOJQJ^JaJh-CJOJQJ^JaJ$hAD*h`B0JCJOJQJ^JaJ/j1hAD*h`BCJOJQJU^JaJ#jh`BCJOJQJU^JaJh`BCJOJQJ^JaJ22Z3/4041424H444445557&7777ŸrdVdDd#jh>CJOJQJU^JaJhE"CJOJQJ^JaJh>CJOJQJ^JaJhmCJOJQJ^JaJhFCJOJQJ^JaJhrCJOJQJ^JaJ hhCJOJQJ^JaJ hhmhhhmOJQJ^J hh-CJOJQJ^JaJhCJOJQJ^JaJhsgCJOJQJ^JaJh-CJOJQJ^JaJ77777H8l8===>>>?w?x?y?P@մo_oQCQ.)hSQhSQB*CJOJQJ^JaJphhrCJOJQJ^JaJh=CJOJQJ^JaJh>CJOJQJ^J_H aJ$h>h>CJOJQJ^J_H aJ h>_H -h>h>B*CJOJQJ^J_H aJph)h>h>B*CJOJQJ^JaJphh>CJOJQJ^JaJ$hAD*h>0JCJOJQJ^JaJ#jh>CJOJQJU^JaJ/j$ hAD*h>CJOJQJU^JaJ6G8H8l8p8999999::?:_:c:::::; ;;;3;9;A;_;d;;gd>gdm;;;;<P<Z<<<<<<<== =$=J=O=S====>>??x?y?gdmgdrgd>y?????????@@-@A@B@P@Q@@@AABB8B9BBBBBBgdmgdSQP@A8B9BBBBBBBBBBCCD FFF̾򾭟}vhZLh>0hNTkCJOJQJ^JaJh~CJOJQJ^JaJhCJOJQJ^JaJh>CJOJQJ^JaJ hSQh6KCJOJQJ^JaJh6KCJOJQJ^JaJ hSQhSQCJOJQJ^JaJ)hSQhSQB*CJOJQJ^JaJphhSQCJOJQJ^JaJBBBCCDD F F#G$GGGHCHDHHHIIIIJJKJJ-KYKpK & Fgd5gd/gdmF"G#G$GGGGHCHHHIIIIIIJJJJ,K-KXKYKKKȳȳȢqcUcUC#hPhP5CJOJQJ^JaJh-CJOJQJ^JaJh:CJOJQJ^JaJhmCJOJQJ^JaJh5CJOJQJ^JaJ hhmh1hmOJQJ^J h>h>CJOJQJ^JaJ)h>h>B*CJOJQJ^JaJphh>CJOJQJ^JaJhNTkCJOJQJ^JaJh`pCJOJQJ^JaJh~CJOJQJ^JaJpKKKKLLLLLM M MDMEMFMWMdNoNNN OAOOOPPPgdVUdgdPgd$gd- & Fgd5KuL|LLLL M MFMWMCNcNdNN OAOOOOO䚌~iXCX5hCJOJQJ^JaJ)hAAhPB*CJOJQJ^JaJph hPhPCJOJQJ^JaJ)hPhPB*CJOJQJ^JaJphh0rCJOJQJ^JaJhPCJOJQJ^JaJ#hPhP5CJOJQJ^JaJ)h$hYPB*CJOJQJ^JaJph)h$h$B*CJOJQJ^JaJphh-CJOJQJ^JaJh$CJOJQJ^JaJhYPCJOJQJ^JaJOPPPP1S2S3S4SNSSSTT)T7U9U:U;UeU֞wiWiIA=9h h9ph CJaJhll CJOJQJ^JaJ#h>&h>&5CJOJQJ^JaJh>&CJOJQJ^JaJ)h,h,B*CJOJQJ^JaJph#h,h,5CJOJQJ^JaJh,CJOJQJ^JaJ)hVUdhB*CJOJQJ^JaJph)hVUdhVUdB*CJOJQJ^JaJphhPCJOJQJ^JaJhCJOJQJ^JaJhCJOJQJ^JaJPYPePoPPPPPPQbQQQQR0RkRnRRRRR#S&S2S3S4SNSSgdPgdVUdSSSSTTT)T7U8U9UfUVVV.W6W7W"Y#Y:YYYZZ[[gd9pgdRCgd gdPgd,eUfUVVV5W6WNXbX"Y#Y$Y9Y:YYYZZZ[[[ȳ~zseeWeWEW#jh&CJOJQJU^JaJh&CJOJQJ^JaJh9pCJOJQJ^JaJ hh9ph9ph9pCJaJh CJOJQJ^JaJ hRChRCCJOJQJ^JaJhRCCJOJQJ^JaJ)hRChLOB*CJOJQJ^JaJph)hRChRCB*CJOJQJ^JaJphh^%=CJOJQJ^JaJhLOCJOJQJ^JaJ hh [R[T[U[V[[[[K\L\\\'](])]]]]^ɷᖁpXEp0)h-wh-wB*CJOJQJ^JaJph$h-wh-w0JCJOJQJ^JaJ/jz h-wh-wCJOJQJU^JaJ h-wh-wCJOJQJ^JaJ)jh-wh-wCJOJQJU^JaJh-wCJOJQJ^JaJ$hAD*h&0JCJOJQJ^JaJ#jh&CJOJQJU^JaJ/j hAD*h&CJOJQJU^JaJh&CJOJQJ^JaJ h&h&CJOJQJ^JaJ[L\M\\]]]F^^^^^^B_C_D_E_!v:gd-wgdP^^^^^^^__ _________ _5_6_|_||E||2h0JB*CJOJQJ^JaJmHnHphu8hJhJ0JB*CJOJQJ^JaJmHnHphu-hJhJ0JB*CJOJQJ^JaJph6jhJhJ0JB*CJOJQJU^JaJph h-whCJOJQJ^JaJh-wCJOJQJ^JaJhCJOJQJ^JaJh9pCJOJQJ^JaJ)h-wh9pB*CJOJQJ^JaJph6_@_A_B_C_D_E_ʵ h-whCJOJQJ^JaJhhi&)hJhJB*CJOJQJ^JaJph6jhJhJ0JB*CJOJQJU^JaJph2h>0JB*CJOJQJ^JaJmHnHphu,1h/ =!"#$% DyK www.owasp.orgyK ,http://www.owasp.org/DyK taco.fleur@clickfind.com.auyK Fmailto:taco.fleur@clickfind.com.auDyK http://www.clickfind.com.auyK :http://www.clickfind.com.au/DyK www.clickfind.com.auyK :http://www.clickfind.com.au/DyK yK :http://www.clickfind.com.au/DyK yK Thttp://www.adobe.com/products/coldfusion/DyK taco.fleur@clickfind.com.auyK Fmailto:taco.fleur@clickfind.com.auDyK www.clickfind.com.auyK :http://www.clickfind.com.au/DyK Dhttp://www.google.com.au/search?hl=en&q=coldfusion+reverse+dns&metayK http://www.google.com.au/search?hl=en&q=coldfusion+reverse+dns&metaDyK taco.fleur@clickfind.com.auyK Fmailto:taco.fleur@clickfind.com.auDyK www.clickfind.com.auyK :http://www.clickfind.com.au/}DyK Bhttp://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20yK http://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20DyK hhttp://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20&hash=2924E8B24402E85105533CF97CD24BF9yK http://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20&hash=2924E8B24402E85105533CF97CD24BF9@@@ NormalCJ_HaJmH sH tH Z@Z 'B Heading 1$<@&5CJ KH OJQJ\^JaJ \@\ 'B Heading 2$<@& 56CJOJQJ\]^JaJV@V v Heading 3$<@&5CJOJQJ\^JaJDA@D Default Paragraph FontRi@R  Table Normal4 l4a (k@(No List6U@6 } Hyperlink >*B*ph4@4 )Header  !4 @4 )Footer  !.)@!. J Page NumberEWEWIJUVopq$%&'BCDEW &7M^w  . ? N s ~  & 7 F q | } Z [ : ; ^ _ i { wxBCNO=> )Bs%Vqop0FTh#f-ATdkx:Pn $ F M X !#!+!2!!!!!""$$&&&&&&&&Y(Z())))) *)***]*****0,1,H,--..G0H0l0p0111111:2?2_2c222223 3333393A3_3d333334P4Z444444455 5$5J5O5S55556677x7y77777777788-8A8B8P8Q88899::8:9::::::::;;<< > >#?$???@C@D@@@AAAAJBKBB-CYCpCCCCDDDDDE E EDEEEFEWEdFoFFF GAGGGHHHYHeHoHHHHHHIbIIIIJ0JkJnJJJJJ#K&K2K3K4KNKKKKKLLL)L7M8M9MfMNNN.O6O7O"Q#Q:QQQRRSSLTMTTUUUFVVVVVVBWCWFW000000000V0V0V0V0V0V0V0V0V0V0V0V0E0E0E0V000000000V0 0 0 0 0 0 0 0 0 0 0 0000V000000000000000000000000000000000(00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0V0000000000000V00000 0 0 0 0 0 0 0 0 0 0  0  0  0  0 000000000000000000000000000000000000000000000000000000000000000000000000000&0&0&0 0' 0'0'(0'0'(0'0'(0'(0'0'(0'0'0'0'0'0'(0'0V0,0,0,0,0,(0,0,(0,(0,(0,(0,(0,(0,(0,(0,0,(0,(0,0,(0,0, 0,0, 0,0, 0,0, 0, 0, 0,0, 0, 0, 0, 0, 0,0,(0,(0,(0,(0,(0,0,(0,(0,(0,(0,0,0,0,0,(0,(0,0,00,00,00,00,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,00, 0,0,0,0,00,00,0,0,0,0,0,0,0V0;00;0;00;0;00;0;00;0;80;0;80;80;0;80;0;80;80;80V0)Bx0)Bx 0)B( 0)B( 0)B( 0)B( 0)B(0)B(0)Bx0)B(0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B(0)Bx0)Bx0)B0)B0)B0)B0)B0)B 0)B0)B 0)B0)B 0)B0)B 0)B(0)Bx0)Bx0)Bx0)Bx0)Bx0)Bx0)B0)Bx0)B0)Bx0)Bx0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)Bx0)Bx0)B0)B0)B00M00M0M0M0M0MH0M0M0P0000P0000P000P00000000@0 {00.0(IJUVopq$%&'BCDEW &7M^w  . ? N s ~  & 7 F q | } Z [ : ; ^ _ i { wxBCNO=> )Bs%Vqop0FTh#f-ATdkx:Pn $ F M X !#!+!2!!!!!""$$&&&&&&&&Y(Z())))) *)***]*****0,1,H,--..G0H0l0p0111111:2?2_2c222223 3333393A3_3d333334P4Z444444455 5$5J5O5S55556677x7y77777777788-8A8B8P8Q88899::8:9::::::::;;<< > >#?$???@C@D@@@AAAAJBKBB-CYCpCCCCDDDDDE E EDEEEFEWEdFoFFF GAGGGHHHYHeHoHHHHHHIbIIIIJ0JkJnJJJJJ#K&K2K3K4KNKKKKKLLL)L7M8M9MfMNNN.O6O7O"Q#Q:QSLTMTTUUFVVVFW000000000V0V0V0V0V0V0V0V0V0V0V0V0E0E0E0V000000000V0 0 0 0 0 0 0 0 0 0 0 0000V000000000000000000000000000000000(00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0V0000000000000V00000 0 0 0 0 0 0 0 0 0 0  0  0  0  0 00000000000000000000000000000000000000000000000000000000000000000000000000V0&0&0&0V0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0V0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0V0; 0; 0; 0; 0; 0; 0; 0; 0;0;0;0;0;0;0;0;0;0;0V0)B0)B 0)B 0)B 0)B 0)B 0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0)B0V0M00M0M0M0M0M0M0M 0 M ;015Z ;01 ;0100 ;0|6Z@0000JJJM w#*,Y027P@FKOeU[^6_E_03467:<=ACDEIKMNQRTU CB $P'.6;y?BpKPS[E_1589;>?@BFGHJLOPSD_28Fq1BmP$9*$}$$(()///SUSST(UUEWXXXXXXXXXXXXX "$&<GM!$+1ޚ$+1$+1LI$+1dۚ$+1T$+1'BC*D:EcIFWABC-D=EfIFW?*urn:schemas-microsoft-com:office:smarttags stockticker8*urn:schemas-microsoft-com:office:smarttagsdate 1200823DayMonthYear     + 6 > F M U _ c q u | t    # . 6 > E M W i p s z " ) P \ ` g p x | *LZpsy -U`iqs 1=IU`by"+5?IR~'BN^jt}  * 3 O V """"S)a))))))))**&*^*b*c*p*r*}*********R-\-222223 33;3?3J3T333333344"4,484E4[4_4`4o4445595H5i5{5K7R7h7w7z777777777888D8N88899: :::c:j:B<F<J<U<@@@@@)@,@/@1@>@@@@@@@@@DDDDDDDDDDE EeFmFpFFFFFFFF HHH,H5H@HEHUH[HcHfHmHvHHHHHHHHHII*I3I@ICILIxIIIIIIIIIIIIIIJJ!J.J6JKJOJgJJJJJ(K0KKKKKKKNNNNNN0O4O=PGPSSSSTTTTUUUUUUVVV.V3V;V>VAVbVeVVVVVVVVCWFW       j n | pty!18GKU`iq1>'V[t}  * 3 X a !!,!0!5!9!$$)))) **^*b***e0g0112223 33334 4[4_44444i5|57777777777 8 88"80888: :::==@@,@0@@@!D#DDDDDeFmFFF HH/H4HpHtHHHIIjItIIIIIJJ2J5JJJJJJJKKKKKLMLNNNO8P=PgQqQRRUUGVLVVVVCWFW3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333  &&wx}}&&&&:M;M>M>M$Q&QQVVVVVWWAWFWVVVVVCWFW Taco Fleura}tB<^],nH^`o(. ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.^`o(. ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.^`OJPJQJ^Jo(-^`OJQJ^Jo(hHopp^p`OJQJo(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJQJo(hHa}tB],n                   \6        M 4UYR\ =%|+@&+@&Q,zA \ 0;(M 4\  ;0M+? y?=%|Q,zA;( \ 0>J+?MX\ 5Q>J0UYR8[\ Xy?08[5QZ]ZlMTSSQFll m%UJ} U~,J!z"{'BO+>w3 -5b27:^%=`BRC>F6KYPZ]a cVUdsg;jNTk&e1/P)~'B^->P-B2$mr;c=> @&nc-LO E"m~>ke5AA:6fM:QFW@VVL=VVEW`@UnknownGz Times New Roman5Symbol3& z Arial?5 z Courier New;Wingdings"1hfAL&G&G!4_V_V2QH ?>FColdFusion Security TipsColdFusion Securitycoldfusion, security Taco Fleur Taco Fleur   Oh+'0 4 HT p | ColdFusion Security Tips.ColdFusion Security Taco FleurScoldfusion, securityipsold Normal.dot  Taco Fleur 76oMicrosoft Word 10.0@x&@Lav]@ނ _&GG4 VT$m!1 4  ."System(r0(F -@"Arial- 2  Taco Fleur4.*.3.. 2 | C2 r Page .7./. 2 K 1C/ 2 z  C2 ^ 25/01/2008../../.. 2  C. '{@"Arial- 2 7  CJ 2 4  CJY@"Arial-2 R Written for A.78]f.8fA-2 R{ OWASP.yoo 2 R  C]@Times New Roman- 2  www.owasp.orgHHH2H,'23"1- @ !-  2 =  C 2 V  C. 2 \ C-2  Taco Fleur=,,26,2! 2   C. 2 B  C--/2 :ColdFusion security tips`Q%RQQJ&QQ%KJKQ4%.H%,&MJ 2 :  CK- 2  C- 2 ?  C-- 42 taco.fleur@clickfind.com.au,,2!,2"\,-1!22,3M,2- @ !w -  2 1  C.- (2 % http://www.clickfin 22HHH,,1!22 % d.com.au2,3M,2- @ !0 - 22 % W  (sponsor of this article)!'222'3!2!2',!,,! 2 %  C. 2  C- 2  C- 2 ~  C-22 Wednesday, 23 January 2008]-22,'2.032',22-#02222 2 C  C- 2 c  C- 2  C- 2 I  C--                    ՜.+,D՜.+,d x   coldfusion security Taco Fleurswww.clickfind.com.aup_V{ ColdFusion Security TipsWritten for OWASPColdFusion security tips About the author Introduction Index SQL Injection Solution Database Logins Logging XSS (Cross Site Scripting) Cookie Hijacking Proper Error Handling Input Validation Securing Protected Areas0 Form being submitted outside of your domain Automated data mining Title HeadingsP 8@ _PID_HLINKSAN*&$hhttp://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20&hash=2924E8B24402E85105533CF97CD24BF9[ !Bhttp://www.yourdomain.com.au/classified.cfm?classifiedIdentity=20Mhttp://www.clickfind.com.au/6#mailto:taco.fleur@clickfind.com.aucmDhttp://www.google.com.au/search?hl=en&q=coldfusion+reverse+dns&metaMhttp://www.clickfind.com.au/6#mailto:taco.fleur@clickfind.com.auK*http://www.adobe.com/products/coldfusion/M http://www.clickfind.com.au/M http://www.clickfind.com.au/Mhttp://www.clickfind.com.au/6#mailto:taco.fleur@clickfind.com.au]http://www.owasp.org/  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVXYZ[\]^`abcdefghijklmnopqrstuvwxyz{|}~Root Entry F0 _Data W1Table_FWordDocument.SummaryInformation(DocumentSummaryInformation8CompObjj  FMicrosoft Word Document MSWordDocWord.Document.89q