ColdFusion Security Reminder - Read me now

I know I've blogged this before, and it's covered in my security checklist, but folks, stop what you are doing and make these changes right now on your production server:

  • In the ColdFusion Admin, Debug Settings, turn off Enable Robust Exception Info.
  • In the ColdFusion Admin, Settings, set a site-wide error handler. You only need to do this if you didn't bother to use onError or <cferror>. You don't need a pretty page. You can just say 'Error!' and be done. This is still 10x better than exposing an error page to your user.

The above changes will take you - approximately - 2 minutes. So please do this.... now.

Comments (15) May 18, 2007 9:36 AM Views: 2659

Comments

[Add Comment]
Chad G.'s Gravatar Ray,

In the CF Admin it says:
Specify the relative path to a template to execute when ColdFusion encounters errors while processing a request.

Relative path to what?
# Posted By Chad G. | 5/18/07 9:51 AM
Raymond Camden's Gravatar Web root.
# Posted By Raymond Camden | 5/18/07 10:30 AM
Chad G.'s Gravatar I should have been more specific.

Web root of the CFAdmin? Each web root in IIS?

Thanks Ray!
# Posted By Chad G. | 5/18/07 10:35 AM
Bash's Gravatar It is relative to the default web site's root. If you have multiple web roots/sites and need a different page for each site you will have to create a default error page and use some redirection/includes to display the appropriate one. There are a couple examples out there I just can't remember where they are at the moment, but Gogle search will probably pull them up.

We have individual servers for our intranet and extranet (obviously for access reasons), but we have two sites on each box. We install CF to the default site and have the actual intranet/extranet as its own site. That way we can limit access to the CFIDE,admin, etc. and just copy over any script files we need for the actual site.

Anyway, because of this we have multiple web roots. What I did was create a mapping in the CF admin then I use that in my default error templates paths.

So, if you have multiple site roots just create a cf mapping to a folder that will hold your error page(s) and if necessary use some url path detection to pull in the desired page.

Hope all of that makes sense.
# Posted By Bash | 5/18/07 11:06 AM
DK's Gravatar Another good one if you are using cf7 is to take the time to read charlie areharts article on sandbox security. At the very least disabling CFExecute and CFRegistry (if you are not making use of them), it takes about 30 seconds, and makes security auditors sleep better at night :)

p.s. earlier versions of CF(5 and older) disabled the administrator if you disabled CFRegistry.
# Posted By DK | 5/18/07 11:09 AM
Dan Sorensen's Gravatar I assume that it's ok to have my site wide error handler email me the necessary info (since that's done on the server side), while I just display a simple error to the end user.
# Posted By Dan Sorensen | 5/18/07 11:21 AM
Ryan's Gravatar What are your thoughts on emailing yourself a dump of the exception struct in email, which is unsecured, while showing the user a friendly message?
# Posted By Ryan | 5/18/07 12:05 PM
Raymond Camden's Gravatar I'd have no problem emailing the error. I wouldn't email credit card info. :)

Dan: Thats what I do. Well no, that isn't. I use cferror/onError. That to me is more specific to my application. I recommend the Site Wide Error thing as its better than nothing and covers your whole box.

Does that make sense?
# Posted By Raymond Camden | 5/18/07 1:29 PM
Aaron Longnion's Gravatar thanks for the reminder, Ray.

here's my errorHandler.cfm, what do you think?
http://cfzen.instantspot.com/blog/index.cfm/2007/5...
# Posted By Aaron Longnion | 5/18/07 1:43 PM
Raymond Camden's Gravatar I just took a quick glance but seems ok to me. I need to standardize my own emails sometime. Perhaps in a cfe snippet.
# Posted By Raymond Camden | 5/18/07 2:10 PM
david's Gravatar funny, right after i read this I tab over to cf-talk on houseoffusion.com and I got this error:

(image link)
http://kamaimedia.com/funnystuff/hof_error_screens...
# Posted By david | 5/20/07 12:34 AM
Joshua Curtiss's Gravatar Ray, thanks for the reminder. I have FINALLY implemented a site-wide error handler for my intranet at work.

I encountered some <a href="http://blog.nazin.com/index.php/site-wide-error-ha... issues</a> with config file handling, due to the special behavior of site-wide error handlers. Got it taken care of though.
# Posted By Joshua Curtiss | 5/22/07 12:42 PM
Michael Dinowitz's Gravatar An error in a sitewide error handler will cause the original error to show as if the sitewide error handler did not exist (as seen from the HoF example above)
# Posted By Michael Dinowitz | 5/25/07 1:58 AM
Joshua Curtiss's Gravatar Yeah, that can be a handy way to "abort" your error handler under certain situations, like I described in my blog post, i.e. if it can detect that you are on a development box.

Just last night I got an email from my error handler for a page that used cfabort... I haven't looked into it yet but... will cfabort trigger the site-wide error handler???? If so, that is bad... I use cfabort from time to time, putting some logic at the top of a page and abort if certain conditions aren't met....
# Posted By Joshua Curtiss | 5/25/07 8:30 AM
Raymond Camden's Gravatar Yep, I've seen that before. If you look at the exception type though, you will notice a specific string for cfabort. You can look for - and ignore - that error.
# Posted By Raymond Camden | 5/25/07 10:07 PM
[Add Comment]