Raymond Camden's Blog Rss

ColdFusion Security Reminder - Read me now

15

Posted in ColdFusion | Posted on 05-18-2007 | 4,459 views

I know I've blogged this before, and it's covered in my security checklist, but folks, stop what you are doing and make these changes right now on your production server:

  • In the ColdFusion Admin, Debug Settings, turn off Enable Robust Exception Info.
  • In the ColdFusion Admin, Settings, set a site-wide error handler. You only need to do this if you didn't bother to use onError or <cferror>. You don't need a pretty page. You can just say 'Error!' and be done. This is still 10x better than exposing an error page to your user.

The above changes will take you - approximately - 2 minutes. So please do this.... now.

Comments

[Add Comment] [Subscribe to Comments]

Chad G. said on 05-18-2007 at 9:51 AM #
Ray,

In the CF Admin it says:
Specify the relative path to a template to execute when ColdFusion encounters errors while processing a request.

Relative path to what?
Raymond Camden said on 05-18-2007 at 10:30 AM #
Web root.
Chad G. said on 05-18-2007 at 10:35 AM #
I should have been more specific.

Web root of the CFAdmin? Each web root in IIS?

Thanks Ray!
Bash said on 05-18-2007 at 11:06 AM #
It is relative to the default web site's root. If you have multiple web roots/sites and need a different page for each site you will have to create a default error page and use some redirection/includes to display the appropriate one. There are a couple examples out there I just can't remember where they are at the moment, but Gogle search will probably pull them up.

We have individual servers for our intranet and extranet (obviously for access reasons), but we have two sites on each box. We install CF to the default site and have the actual intranet/extranet as its own site. That way we can limit access to the CFIDE,admin, etc. and just copy over any script files we need for the actual site.

Anyway, because of this we have multiple web roots. What I did was create a mapping in the CF admin then I use that in my default error templates paths.

So, if you have multiple site roots just create a cf mapping to a folder that will hold your error page(s) and if necessary use some url path detection to pull in the desired page.

Hope all of that makes sense.
DK said on 05-18-2007 at 11:09 AM #
Another good one if you are using cf7 is to take the time to read charlie areharts article on sandbox security. At the very least disabling CFExecute and CFRegistry (if you are not making use of them), it takes about 30 seconds, and makes security auditors sleep better at night :)

p.s. earlier versions of CF(5 and older) disabled the administrator if you disabled CFRegistry.
Dan Sorensen said on 05-18-2007 at 11:21 AM #
I assume that it's ok to have my site wide error handler email me the necessary info (since that's done on the server side), while I just display a simple error to the end user.
Ryan said on 05-18-2007 at 12:05 PM #
What are your thoughts on emailing yourself a dump of the exception struct in email, which is unsecured, while showing the user a friendly message?
Raymond Camden said on 05-18-2007 at 1:29 PM #
I'd have no problem emailing the error. I wouldn't email credit card info. :)

Dan: Thats what I do. Well no, that isn't. I use cferror/onError. That to me is more specific to my application. I recommend the Site Wide Error thing as its better than nothing and covers your whole box.

Does that make sense?
Aaron Longnion said on 05-18-2007 at 1:43 PM #
thanks for the reminder, Ray.

here's my errorHandler.cfm, what do you think?
http://cfzen.instantspot.com/blog/index.cfm/2007/5...
Raymond Camden said on 05-18-2007 at 2:10 PM #
I just took a quick glance but seems ok to me. I need to standardize my own emails sometime. Perhaps in a cfe snippet.
david said on 05-20-2007 at 12:34 AM #
funny, right after i read this I tab over to cf-talk on houseoffusion.com and I got this error:

(image link)
http://kamaimedia.com/funnystuff/hof_error_screens...
Joshua Curtiss said on 05-22-2007 at 12:42 PM #
Ray, thanks for the reminder. I have FINALLY implemented a site-wide error handler for my intranet at work.

I encountered some <a href="http://blog.nazin.com/index.php/site-wide-error-ha... issues</a> with config file handling, due to the special behavior of site-wide error handlers. Got it taken care of though.
Michael Dinowitz said on 05-25-2007 at 1:58 AM #
An error in a sitewide error handler will cause the original error to show as if the sitewide error handler did not exist (as seen from the HoF example above)
Joshua Curtiss said on 05-25-2007 at 8:30 AM #
Yeah, that can be a handy way to "abort" your error handler under certain situations, like I described in my blog post, i.e. if it can detect that you are on a development box.

Just last night I got an email from my error handler for a page that used cfabort... I haven't looked into it yet but... will cfabort trigger the site-wide error handler???? If so, that is bad... I use cfabort from time to time, putting some logic at the top of a page and abort if certain conditions aren't met....
Raymond Camden said on 05-25-2007 at 10:07 PM #
Yep, I've seen that before. If you look at the exception type though, you will notice a specific string for cfabort. You can look for - and ignore - that error.

[Add Comment] [Subscribe to Comments]