Planet COSI

Pete Freitag: Writing Secure CFML cfObjective 2013 Slides

Thu, 16 May 2013 19:37:38 +0000

Here are the slides to my cf.Objective() 2013 presentation Writing Secure CFML, thanks to those who attended. Please stop by the Foundeo Inc. booth and say hi, if you are at the conference.

I will be speaking on Locking Down ColdFusion tomorrow (Friday) at 10:10

Pete Freitag: Upgrading to Java 7 on Linux

Wed, 10 Apr 2013 23:09:00 +0000

Today I upgraded Java from 1.6 to 1.7 on a CentOS (RHEL) 6 Linux server, and ran into a small issue. Typically when I install java on linux I use the RPM packages, this allows you to run multiple versions of Java incase you need to roll back to a prior version. They have always worked flawless for me, until today. I typically install the rpm like so:

rpm -ivh jdk-7u17-linux-x64.rpm

But doing that yielded an error:

file /etc/init.d/jexec from install of jdk-2000:1.7.0_17-fcs.x86_64 conflicts with file from package jdk-2000:1.6.0_37-fcs.x86_64

So you can't have both 1.6 and 1.7 installed at the same time using the java RPM installers.

The solution is to run the rpm command with the -U flag instead of the -i flag (to upgrade instead of install). Make sure you stop all processes using Java (eg ColdFusion, etc) first, then run:

rpm -Uvh jdk-7u17-linux-x64.rpm

Pete Freitag: J2EE Sessions in CF10 Uses Secure Cookies

Fri, 05 Apr 2013 20:20:00 +0000

This week I helped out a client resolve an issue due to a change in behavior from CF9 to CF10. CF10 automatically adds the secure flag to cookies when the request is over a secure HTTPS channel. CF9 and lower do not add the secure flag to your JSESSIONID cookies when the request is over HTTPS, you can set a flag to force it in all cases (by editing jrun-web.xml), but there is no way to do it conditionally.

It turns out this is a feature of Tomcat, not CF10

I did some digging in the Tomcat source code and found that this functionaility is hard coded into Tomcat, and there is no config to control it. If you are curious you can see the source code here: ApplicationSessionCookieConfig:141

// Always set secure if the request is secure
if (scc.isSecure() || secure) {
    cookie.setSecure(true);
}

This can lead to session loss, BUT it is also a good security feature

The secure flag on a cookie means that it will only send the cookie over a secure channel like HTTPS, so when a JSESSIONID cookie is set with a secure flag, it will not be sent on a HTTP request that is not HTTPS, so you have two sessions one for HTTPS and one for HTTP.

You can't securely share a session on both HTTP and HTTPS

While a lot of people want to share a session between http and https there is no way to do it in a secure way, once the JSESSIONID is sent over HTTP you have an opportunity for a man in the middle to snatch it.

A good way to solve this problem is to only use sessions on HTTPS, for any url that requires a session make sure it is over HTTPS. The best is to simply use HTTPS for everything.

For this particular customer it would take a major rewrite to accomodate all HTTPS or to switch away from J2EE sessions (note for CFID/CFTOKEN sessions you can controll the secure flag of the cookies in the Application.cfc using this.sessionconfig.secure=true/false). So they needed a workaround.

Here is a workaround (but know that it lessens the security of your sessions over https)

Keep in mind this workaround decreases security. So we need to remove the secure flag from the JSESSIONID cookie, and there is no easy way to do this in Tomcat or CFML that I'm aware of. So my solution was to rewrite the cookie in IIS using URL Rewrite, here's how you do this:

Install Microsoft URL Rewrite for IIS: http://www.iis.net/downloads/microsoft/url-rewrite
Close IIS, and open it again.
Click On the root server level node of IIS (so that this is applicable to all sites on your server),
Double Click on the URL Rewrite icon
Click on Add Rule(s)
Under Outbound Rules select Blank Rule
Give it an arbitrary name, eg RemoveSecureFlagOnJSESSIONID
Under Match, select Matching Scope: Server Variable
For Variable name use: RESPONSE_Set-Cookie
Variable Value: Matches Pattern
Using: Regular Expressions
Pattern: ^(.*JSESSIONID.*)Secure;(.*)$
Under Action, Action Type: Rewrite
Action Properties: Value: {R:1}{R:2}
Check replace existing server variable

Or here's how you can add it to a single site using web.config files:

<rewrite>
            <outboundRules>
                <rule name="RemoveSecureJessionID">
                    <match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*JSESSIONID.*)Secure;(.*)$" />
                    <action type="Rewrite" value="{R:1}{R:2}" />
                </rule>
            </outboundRules>
</rewrite>

Note you can also use this technique to improve the security of JSESSIONID cookies on CF9 and lower by adding a HttpOnly flag or a secure flag to the cookie.

Pete Freitag: Learn about ColdFusion Security at cfObjective 2013

Wed, 06 Mar 2013 20:10:00 +0000

For the past two-three months ColdFusion has been increasingly targeted by attackers, as many have found out the hard way. Because my company Foundeo Inc. does a lot of work related to security on ColdFusion we have seen first hand a lot of interest in improving security practices among CF developers and administrators.

One great way to learn about improving the security of your ColdFusion server and applications is to attend the cf.Objective() conference, May 15-18th 2013. Here are some sessions that focus on security:

Beyond Encrypt(): Asymmetric Encryption, Digital Signature, and more - Phil Duba
Web Hacking Tools - David Epler
Locking Down CF Servers - Pete Freitag (me)
Writing Secure CFML - Pete Freitag (me)
Mobile but Secure - Bilal Soylu

I also want to point out that Foundeo Inc. is a sponsor of cf.Objective() and will have a booth, so please stop by and ask your security questions or learn about FuseGuard and HackMyCF.

Pete Freitag: Session Loss and Session Fixation in ColdFusion

Fri, 01 Mar 2013 21:39:00 +0000

I often find myself explaining how the session fixation security hotfix (APSB11-04) might cause session loss under certain circumstances, so I figured it was time for a blog entry explaining it.

Ok, first what is session fixation?

A session fixation vulnerability exists when an attacker can direct the victim to use a specific session identifier. So for example, suppose I say hey follow this link:

http://example.com/index.cfm?CFID=1&CFTOKEN=2

Now when you visit this link, if CF allows you to use that new session identifier to maintain valid session, you have a session fixation problem. The attacker can now mirror the session id on his computer and also have access to your session.

How does ColdFusion session fixation protection work?

ColdFusion now checks to see if the CFID/CFTOKEN passed in the url, cookie, form, etc are valid for the current ColdFusion application. If the CFIDE/CFTOKEN passed do not correspond to a valid session in the CF application, then a new set of CFID/CFTOKEN is generated and set as cookies.

So how does this lead to session loss?

The only circumstances I'm aware of which causes session loss is due to having multiple ColdFusion applications that reside on the same domain, with different application names.

So assume I have a domain with two ColdFusion applications /apples/ and /oranges/ each folder has its own Application.cfc or Application.cfm with a different application name (eg this.name="apples" and this.name="oranges").

Now consider the following condition:

Request /apples/
Successfully logs in under /apples/
Makes a request under /oranges/
Makes a request back to /apples/ (they appear to be logged out)

And here's what happens:

User is given a set of cookies CFID=1 CFTOKEN=1
Session variable is set to keep user authenticated with session CFID=1 CFTOKEN=1
CF see's CFID=1 CFTOKEN=1 and says that is NOT a valid session for the Application "oranges", here's a new set of session ids: CFID=2 CFTOKEN=2
CF see's CFID=2 CFTOKEN=2 and says that is NOT a valid session for the Application "apples" here's a new set of session ids: CFID=3 CFTOKEN=3, you are still technically logged in under CFID=1 and CFTOKEN=1 but your cookies no longer correspond to that session, so for all intensive purposes you are logged out of /apples/

So how do you prevent the session loss?

There are a few ways you can do this:

Set a path on the CFID and CFTOKEN cookies so the browser sends the correct cookie to the correct domain, you can do this in OnSessionStart if you specify this.setclientcookies=false. You can see an example of how to set the session cookies in my blog entry on HttpOnly session cookies.
You can set both application names to be equivalent, that is change this.name="apples" to this.name="fruit" and this.name="oranges" to this.name="fruit" this will cause the two applications to also share application and session scopes, so that may not be a good idea if your applications clash on naming.
You can disable the session fixation patch in ColdFusion by adding the JVM argument -Dcoldfusion.session.protectfixation=false to your server. This is a good way to find out if the session fixation patch is indeed causing your problem, or if it is something else. I recently helped a client with session loss, and their problem actually ended up being on the load balancer so it is handy to test using this before making code changes. But keep in mind that when you do this you are giving up some security.

How can I further protect myself from session fixation

This patch doesn't fully protect you from session fixation attacks, you really should rotate session id's after a successful login, and terminate the session on logout. You can do this with two new functions on ColdFusion 10, SessionRotate() and SessionInvalidate().

Pete Freitag: FuseGuard 2.3 Released

Wed, 27 Feb 2013 23:49:00 +0000

My company Foundeo Inc. released version 2.3 of FuseGuard our Web Application Firewall for ColdFusion (and Railo too) servers.

This is a free upgrade for all customers already running version 2.0-2.2, here's a list of what's new in this release:

Updates to FuseGuard Manager (our web admin) include an updated responsive layout powered by Bootstrap, pagination on log tables, and other minor viewing tweaks.
Built-in support for X-Forwarded-For headers that are often used with Load Balancers and proxy servers. Must be turned on with firewall.setUseXForwardedFor(true) in configurator
Additional configuration settings for the IDValidationFilter and ScopeInjectionFilter
Implemented Content-Security-Policy headers and X-Frame-Options headers for FuseGuard Manager
Improved Railo Compatibility
CrossSiteScriptingFilter now more strict in non-form scopes
Added UTF7 bom detection in query string
Added the FuseGuardApplication component to simplify deployment in Application.cfc

I hope you will spend a few minutes to download a trial and see how easy it is to add an additional layer of security to your ColdFusion applications with FuseGuard.

If you want to see how it works you can also watch this 10 minute video on YouTube.

Pete Freitag: CKEditor Spell Checker Plugin

Fri, 21 Dec 2012 19:07:00 +0000

There is now an official CKEditor plugin for Foundeo Spell Checker which you can use to add a spell checker button to the CKEditor toolbar. We've had this unofficially for a while but wanted to put it out there for everyone to get.

This plugin has been tested on both CKEditor 3 and 4.

Pete Freitag: Adobe Says Go Ahead and Upgrade your ColdFusion JVM

Wed, 24 Oct 2012 19:14:00 +0000

This probably flew under the radar to many but Adobe has recently updated one of their support docs on upgrading JVM in ColdFusion, they now clearly state that you can upgrade to the latest minor release of a supported jvm version in ColdFusion:

All ColdFusion users can upgrade Java to the latest minor version for their ColdFusion servers. For example, ColdFusion customers using jdk 1.6.0_x can upgrade to the latest jdk 1.6.0_x update. (At the time of writing, the current version is jdk 1.6.0_35.) All future JDK 1.6.0_x releases are supported.

See http://helpx.adobe.com/coldfusion/kb/upgrading-java-coldfusion.html for details.

This is great news because Oracle frequently releases security and bug fixes for Java, and ColdFusion customers have been reluctant to upgrade the JVM in the past due to worry about Adobe Support.

Timothy Fanelli: Homework 3

Mon, 22 Oct 2012 17:31:52 +0000

Everyone’s design project 1 implementation should have a “Gesture” hierarchy (wether you called it Gesture or not, doesn’t matter) and a “Scoring” hierarchy. Many of you also have a Player or “hand” object. For homework 3, you must implement the … Continue reading →

Pete Freitag: Announcing CFML Weekly Email

Fri, 19 Oct 2012 19:00:00 +0000

I'm a huge fan of the weekly email newsletters: JavaScript Weekly and HTML5 Weekly from Peter Cooper. Keeping up with technology via blogs, twitter, etc is difficult to do, so getting sent an email summary of important or interesting things saves me a lot of time.

Being an avid ColdFusion developer, I couldn't help but think something like this would be great for ColdFusion as well, so... I created one:

I wanted something super simple to send the emails with, so I choose tinyletter, it's a service that was originally written in CFML by Philip Kaplan, which he sold to MailChimp. I'm not sure if it is still running on CFML after the acquisition, MailChimp favors PHP.

TinyLetter will work until we get to 5000 subscribers, then we will have to choose something else, right now after announcing this on twitter a few minutes ago we already have over 60 subscribers!

The first issue will be sent today!

Timothy Fanelli: EE363 Exam 1 Solution

Fri, 12 Oct 2012 18:50:16 +0000

Here is a final solution to Exam 1… please note: there’s more than one way to skin a cat, particularly when it comes to software design. If your final solution is different than this, it’s not wrong, per se. Final … Continue reading →

Timothy Fanelli: EE363 Exam 1 UML Diagram

Fri, 12 Oct 2012 17:19:58 +0000

For reference, here is the UML diagram shown on Exam 1. A final solution will be posted at 3:00pm today, as well. Initech Financial IT Management – Building Security Model

Timothy Fanelli: Listening to records and reading cover notes to L.E. — new vinyl came in today: The XX Co-Exist. #parenting

Wed, 10 Oct 2012 22:19:06 +0000

Listening to records and reading cover notes to L.E. -- new vinyl came in today: The XX Co-Exist. #parenting Continue reading → Continue reading →

Timothy Fanelli: L.E.’s Website is now live!

Wed, 10 Oct 2012 22:01:35 +0000

Before you ask: “Why?,” consider who’s child this is. http://www.lefanelli.com The site is set to aggregate any posts I put in the “Baby” category here, so it’s mostly a duplicate… but if all you care about is cute pictures and … Continue reading → Continue reading →

Timothy Fanelli: L.E. and Mom

Mon, 08 Oct 2012 13:59:18 +0000

L.E. was smiling before and after this picture, sleeping on mom — but this is the only one I caught Jo smiling in . Continue reading →

Timothy Fanelli: Babies and zombies are the same. Driven by impulse, and make all the same noises. Only diff is boobs vs brains. #parenting

Sun, 07 Oct 2012 11:17:19 +0000

Babies and zombies are the same. Driven by impulse, and make all the same noises. Only diff is boobs vs brains. #parenting Continue reading → Continue reading →

Timothy Fanelli: Had to pee while holding L.E.. I now appreciate that flap on my boxers. The person who invented that was obviously a dad. #parenting

Sat, 06 Oct 2012 14:40:04 +0000

Had to pee while holding L.E.. I now appreciate that flap on my boxers. The person who invented that was obviously a dad. #parenting Continue reading → Continue reading →

Timothy Fanelli: Three milestones this week!

Sat, 06 Oct 2012 01:47:09 +0000

L.E. is two weeks old today, and reached a couple other milestones this week as well. She was 5lbs 13oz at her doctors appt yesterday, putting her back at her birth weight! This means we can stop waking her to … Continue reading → Continue reading →

Timothy Fanelli: Photos from Oma’s visit

Mon, 01 Oct 2012 14:59:37 +0000

Here’s the photos from Oma’s camera during her visit! I just put them up quickly, so a lot of them are close-duplicates… I’ll go through and clean up the album a little later when I have some time to spend … Continue reading → Continue reading →

Timothy Fanelli: Daddy’s little girl

Mon, 01 Oct 2012 00:42:31 +0000

Oma got a great shot of L.E. with her dad during her visit . More pictures soon! Also got some good news from the Doctor this morning — who took time out of her weekend away to follow up on … Continue reading → Continue reading →

Timothy Fanelli: Another long night in a hospital

Fri, 28 Sep 2012 20:53:15 +0000

L.E. had her first doctor appointment today with Dr. Szoke, who she was very impressed with . Unfortunately, though, we found out her bilirubin levels were still too high – so we got to spend another night in a hospital … Continue reading → Continue reading →

Timothy Fanelli: Home at last

Tue, 25 Sep 2012 23:43:19 +0000

Finally have the family home! Well, 90.9% of us; our dog Basil is in good hands at our friends Scott’s and Jill’s place. Continue reading →

Timothy Fanelli: Java Style Discussion

Fri, 14 Sep 2012 10:59:46 +0000

Here’s the recording of the Java Style discussion from Wednesday’s class, reviewing Java naming conventions, and JavaDoc style commenting.

Timothy Fanelli: “Project 1″ vs “Design Project 1″

Thu, 13 Sep 2012 17:49:25 +0000

So I screwed up the naming of these things. To differentiate between “10%” projects and “15%” projects, we’ll use “Project” vs “Design Project” respectively. To be clear, so far: Project 1 is 10% of your grade, and consists of: Homework … Continue reading →

Timothy Fanelli: EE363 Design Project 1 – Design Notes

Thu, 13 Sep 2012 17:43:43 +0000

Here’s a couple notes regarding design project 1 Your object model must represent Rock, Paper, Scissor, Lizard, Spock, Radioactive, Poisonous and Infested as objects under a common “Gesture” base type A Gesture must have a method called: getName() that returns … Continue reading →

Timothy Fanelli: EE363 Design Project 1

Wed, 12 Sep 2012 16:27:11 +0000

Here is EE363 Design Project 1: Rock, Paper, Scissors, Lizard, Spock; Radioactive, Poisonous, Infested edition! Update Posted on Thurs Sep 13: http://www.timfanelli.com/2012/09/ee363-design-project-1-design-notes/ It is due Friday, September 28, 2012. All the details are in the PDF. Here are a few key bullet … Continue reading →

Timothy Fanelli: BigDecimal, RoundingMode, and currency values in Java

Tue, 11 Sep 2012 16:06:16 +0000

So admittedly Monday’s discussion on BigDecimal was a fiasco. Here’s a quick attempt to clean it up, and clarify usage of BigDecimal for representing currency values in our Pizza implementations. Consider the following test case, given the Beverage Decorator implementation … Continue reading →

Pete Freitag: Minor bug in ColdFusion 10 Linux Startup Scripts

Thu, 06 Sep 2012 19:40:00 +0000

Running ColdFusion 10 on Linux you might run into an issue when checking the server status, if your ColdFusion user account has a default shell of /sbin/nologin (this is how your account should be setup for security purposes). So for example when you run:

/etc/init.d/coldfusion_10 status

You get this output

This account is currently not available.

If open up the file /etc/init.d/coldfusion_10 in an editor you will see that when ColdFusion invokes the status command on linux it doesn't pass a shell to use, so it tries to use /sbin/nologin which ofcourse fails.

To fix this look for this line:

CFSTATUS='su $RUNTIME_USER -c "cd $CF_DIR/bin; $JAVA_EXECUTABLE -classpath $CLASSPATH $JVM_ARGS_NODEBUG com.adobe.coldfusion.bootstrap.Bootstrap -status"'

Replace the su command with $SUCMDFILE -s /bin/sh - the

CFSTATUS='$SUCMDFILE -s /bin/sh $RUNTIME_USER -c "cd $CF_DIR/bin; $JAVA_EXECUTABLE -classpath $CLASSPATH $JVM_ARGS_NODEBUG com.adobe.coldfusion.bootstrap.Bootstrap -status"'

This was also a problem in prior versions of ColdFusion as well, but it also failed when you tried to start, stop or restart. So it's great they have fixed it for start, stop, restart but they missed the status command.

I have filed this as a bug with Adobe: Bug #3325996

Timothy Fanelli: JUnit & Liskov Substitution Demo from Lecture 3

Tue, 04 Sep 2012 01:45:22 +0000

Here’s the video of the demo from Lecture 3, Monday Sept 3. The demo shows the steps required to enable JUnit for unit testing your Java applications in IDEA, and walks through the “Shapes” hierarchy showing the LSP violation, and fix using a new interface.

Timothy Fanelli: EE363 Exam Schedule

Mon, 03 Sep 2012 17:30:52 +0000

As requested, here are the exam dates for Fall 2012. Both exams will be in-class on the days posted. Exam 1: Wednesday, October 10, 2012 Exam 2: Wednesday, November 14, 2012

Timothy Fanelli: EE363 Lectures 2 and 3

Mon, 03 Sep 2012 17:26:28 +0000

Here are the lecture slides from Friday Aug 31, and Monday Sept 3. Lecture 2 Aug 31 – Liskov Lecture 3 Sept 3 – Liskov, Interfaces, JUnit

Timothy Fanelli: EE363 Homework 2

Mon, 03 Sep 2012 17:22:36 +0000

Homework 2 is available here: EE363 Homework 2 Please read Chapter 3 of the text book, and complete this assignment before 2:00P Friday, Sept 7.

Timothy Fanelli: Text Book Update -

Thu, 30 Aug 2012 17:28:11 +0000

Hello Everyone - It appears the Clarkson email system stripped my attachment because it was too large. I posted the Chapter 1 reading here: https://www.timfanelli.com/secured/ You will need to log in using the same username and password I gave you … Continue reading →

Timothy Fanelli: Fibonacci Generator demonstration

Mon, 27 Aug 2012 18:00:51 +0000

This video will demonstrate the use of IntelliJ IDEA to create a simple Java Application which generates and displays a Fibonacci sequence.

Timothy Fanelli: EE363 Homework 1: Things That Change

Mon, 27 Aug 2012 16:00:37 +0000

Homework one is due at the start of class (2:00PM EDT) on Friday August 31, 2012. Homework 1: Things That Change This assignment will guide you through implementing a Number Generator application that is capable of generating either Fibonacci numbers, … Continue reading →

Timothy Fanelli: Lecture 1: Hello World Demo

Fri, 24 Aug 2012 13:36:33 +0000

Download Lecture 1 Slides Download the EE363 Syllabus This is the “Hello World” demonstration from EE363 lecture 1. It demonstrates the use of IntelliJ IDEA to impement a simple Java Program, run the application, and synchronize the repository with Subversion.

Pete Freitag: JavaScript Confirm Modal using Bootstrap

Wed, 22 Aug 2012 00:54:00 +0000

Back in the olden days you might have added code like this to your form onsubmit, or an anchor to do a javascript confirmation box:

<a href="delete.cfm" onclick="return confirm('Are you sure you want to delete?');">Delete</a>

That works, but using onclick is not elegant and can lead to major issues when trying to implement things like Content-Security-Policy headers.

Looking for a better way to do this? Here's how you can do this leveraging the Bootstrap modal control:

First I add some JS to my document ready event handler:

$(document).ready(function() {
	$('a[data-confirm]').click(function(ev) {
		var href = $(this).attr('href');
		if (!$('#dataConfirmModal').length) {
			$('body').append('<div id="dataConfirmModal" class="modal" role="dialog" aria-labelledby="dataConfirmLabel" aria-hidden="true"><div class="modal-header"><button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button><h3 id="dataConfirmLabel">Please Confirm</h3></div><div class="modal-body"></div><div class="modal-footer"><button class="btn" data-dismiss="modal" aria-hidden="true">Cancel</button><a class="btn btn-primary" id="dataConfirmOK">OK</a></div></div>');
		} 
		$('#dataConfirmModal').find('.modal-body').text($(this).attr('data-confirm'));
		$('#dataConfirmOK').attr('href', href);
		$('#dataConfirmModal').modal({show:true});
		return false;
	});
});

Now to trigger this in my HTML, I just add a data-confirm attribute to an anchor tag:

<a href="delete.cfm" data-confirm="Are you sure you want to delete?">Delete</a>

Pete Freitag: Understanding HashDos and postParameterLimit

Wed, 01 Aug 2012 20:58:00 +0000

I received a question today about the postParameterLimit that was added to ColdFusion 8,9 by security hotfix APSB12-06 and exists in ColdFusion 10 by default (it is also configurable in the CF10 administrator).

The question I was asked about this was:

I was wondering your opinion on the maximum level of this setiing in relation to security.

I've also seen a lot of people unclear why they are getting a 500 Server Error (coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server.) when posting a lot of form variables, so let's dig in to this issue.

Step back and learn about the HashDos Vulnerability

First we need to understand the vulnerability that this setting is meant to protect, called HashDos. To do that we need to take another step back and learn about how hashing algorithms work. When you store something in a struct in ColdFusion, eg form["pete"], it will create a hash of the key in this case "pete", it hashes the value to an integer, let's suppose that "pete".hashCode() == 8

All hash algorithms have the possibility of creating a collision, where two different strings result in the same hash code. So let's say that "peter".hashCode() == 8 as well. You don't want form["peter"] to return the result of form["pete"] so the hash table creates a bucket for each integer code. If the bucket contains multiple items then each item in the bucket is compared (this is slow).

Because this collision comparison is so slow, this is where the opportunity for the Denial of Service comes into play. If you can construct a request which results in thousands of hash collision lookups the request can take seconds to several minutes to process. For example with around 50,000 collisions my quad core mac pro with 15 gb of ram took close to 30 minutes to process the request (whose total size was less than 2mb).

HashDos does not only pertain to form post variables

Any time you store a lot of keys in a struct you have the potential for a HashDOS. The URL scope would potentially be vulnerable too but the web server will typically limit the size of the query string. Another place this might come up is if you accept Xml or JSON strings from external sources, which are then parsed into a struct. So keep this in mind whenever you accept external input that might yield struct keys.

So how to you fix HashDOS

ColdFusion added the postParameterLimit setting to neo-runtime.xml to mitigate the effects of the HashDos vulnerability, which existed in many web application servers. Adobe set their default limit to 100, while Microsoft set their default limit to 1000 for ASP.NET.

Getting back to the original question how high can you set this value? -- the answer is that you want to set this as low as your application allows. The actual number of what you can handle depends on what your hardware can handle, and what an acceptable wait time is for the end user.

Timothy Fanelli: Disable Global Security in WebSphere Application Server

Wed, 18 Jul 2012 13:13:13 +0000

Had to do this at a customer location today, because their security group had an issue defining the cell’s security certificates. Personally, I’ve also had to do this because I brought up old cells I couldn’t remember the passwords too, … Continue reading →

Pete Freitag: ColdFusion 10 Security Enhancements Presentation

Thu, 07 Jun 2012 22:50:00 +0000

I've given a couple presentations now on the security enhancements in ColdFusion 10. The most recent was today at the Adobe ColdFusion Developer 2012, but I've also given it two other times for a Carahsoft webinar, and for the Carahsoft ColdFusion 10 Preview event in Washington DC. The slide deck was very similar for all three, but today's slides are the most up to date.

I hope you find it useful, there really are quite a few security enhancements in ColdFusion 10, so many that it's difficult to cover all of them in an hour!

Here's a short list of some of the enhancements (not even including all of them):

Secure Profile in installation
Weak password warnings in installation
Hotfix Installer
CF Admin IP restrictions
Tomcat - lots of security folks review tomcat, JRun... not so much
Session Cookie settings
New SessionRotate() and SessionInvalidate() functions
CFFile Upload accept allows file extensions, strict mode now checks file content mime type, not just the mime type the browser sends (though this can still be spoofed).
Hash iterations
HMAC Function
CSRF Token Functions
Ram disk application isolation
And several more!