After development, the Macromedia Flash communication application moves into production. At that time, you’ll want to properly configure the Macromedia Flash Communication Server . This should be done with security issues high on the priority list. Insecure server configurations can result in several negative situations, including unauthorized users who compromise information, steal server usage, cheat in games, or disrupt—or even shut down—the server. Below you’ll find a checklist of security configuration settings (as well as a few “best practice” tips) that you should consider as you set up your Flash Communication Server MX for real-time use by intranet or Internet users .

Genral administration setting :

Set a secure user ID and password. Don’t use “admin”, “administrator” (and so forth) as the user name. Pick a password with at least 8 characters, including digits and punctuation.
2     Use the <Allow> and <Deny> tags in the Server.xml file to restrict which client computers can connect to the Admin application.
3     Set the Admin tool to bind to a port that is not available to the general public. Block access to this port with your firewall.

(continue reading…)

Coldfusion security : Top seven ColdFusion Security Issues

This installment discusses the most prevalent security issues with server configurations and application implementations for ColdFusion. Future articles will discuss other security-related topics, both for other sysmox products specifically as well as for general security concepts that should be helpful for developers, server administrators, and others involved in web implementations.

+  Why Should You Care About Security Issues?

1         Coldfusion Directory traversal

2         FCKeditor bug

3         ColdFusion Administrator on Production Servers

4         Unvalidated Browser Input

5         Sample Applications and Documentation on Production Servers

6         CFFILE, CFFTP, and CFPOP

7         ColdFusion Studio and RDS with Production Servers

Please keep in mind that keeping computer security issues at bay can be a full-time job. While these columns seek to provide general education and point out common security issues in implementations, they are not meant as a substitute for a full-time security specialist group or individual in your organization.

Please also remember that when links are provided for reference, they may be advisories not applicable to your server or configuration. Be sure to carefully check whether the fixes and workarounds suggested apply to your configuration before implementing them. Also, be sure to test any patch in a testing environment prior to applying to a production environment.

Why Should You Care About Security Issues?

Security should be everyone’s concern. Over time, the professional security community has learned that the best-implemented security is carried out in a thorough and prevalent manner. If a developer, architect, or designer is not thinking explicitly about security, it simply won’t happen spontaneously.

Additionally, the wild, wild web is literally saturated with motivated attackers just waiting for a juicy target to attack and subvert. To make matters worse, many would-be attackers can find simple, automated “scripts” (automated tools that search for and exploit known security issues) with which to attack and subvert your server(s).

If any standard, well-known security issue is a concern with your server’s configuration, it is only a matter of time before an unknown attacker finds that she can, and does, successfully attack and potentially subvert your systems.

1 – Coldfusion directory traversal:

Variation of a classic directory traversal vulnerability it can be used for arbitrary file retrieval ;  special encoding the bug will let you grab any file ending in “.xml”, but by adding a “%00″  its sophisticated :

The exploit:

http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

If the login admin password was stored hash (Using SHA1 algorithm, similar to CF MX7), the attacker then attempts to crack it via an offline password cracking attack or rainbow table lookup. Note that the default setting in ColdFusion 8 is encrypted=true as per password.properties file. Otherwise. (continue reading…)

How to Design Secure Web Applications 

SySmox

Coldfusion security

Secure web application design is not product-specific: it is helpful in securely designing and implementing any Web application, regardless of the platform. but many of these concepts are relevant to any application development cycle, including non-Web applications.

secure application security

What is the ‘Security Mindset’?

•     Risk Assessment
•     Policies
•     Platform Research, Modular Architecture and Delegation (Layering)
•     Validation (Formal Trust)
•     Vigilance

Keeping computer security issues at bay is a full-time job. These columns provide general education, point out common security issues in implementations, and can aid you in both design and troubleshooting. However, they are not a substitute for a full-time security specialist individual or group in your organization.

Bear in mind that individual links are provided for reference; they may not be applicable to your specific architecture or configuration. Be sure to carefully check whether the procedures suggested or described apply to your configuration before implementing them. Also, be sure to test any change to your current configuration or process in a testing environment prior to applying them in any production environment.

What is the ‘Security Mindset’?

The ideal security architect is very cautious, even paranoid, diligent, suspicious, obsessive-compulsive and impossibly humble. In reality, they tend to be a little more human – which can be both a good and a bad thing – but in terms of ideal qualities, this description is closer to the truth than you might prefer to think.

Generally, it’s a good idea for a security specialist to be suspicious and aggressively inquisitive about new things. She should be suspicious enough so that she’ll feel comfortable prying into how new things work, how inherently secure new tools are, and how much she can trust these new things to keep her data safe. She should also be cautious about programming, configuration, and implementation, both her own and others’. Being this way helps her keep her edge, stay alert, and helps her identify and analyze subtle and tricky situations. It’s often said that the same kinds of people who automatically case every store they enter, but never use the knowledge to steal, are perfect for the security field.

(continue reading…)

Ten tips for securing your ColdFusion application

Over the past year, reports of website security vulnerabilities have increased—in number and severity. Security is a top issue in application development and production. There are a variety of responses to hackers.

ColdFusion application developers—like all applications developers—can take steps to prevent security violations. When you install the Macromedia ColdFusion  server on your local machine, it’s easy to start developing applications right out-of-the-box. Your focus during development is on the inner workings of the application and not on setting up and configuring the ColdFusion administrator. When you deploy your ColdFusion application to production, however, you expose your application to the whole world. In this environment, things are different.

Below you’ll find ten tips for setting up your ColdFusion  application server with security in mind. This list is divided into these general sections:

  1  Features and setting to turn off

  2   Features and settings to turn on

  3  On-going chores

  4  Testing techniques: A hidden JavaScript example

1 Features and settings to turn off :

    1.1 ColdFusion  installation :

Install ColdFusion on the production server without the documentation and example applications. You can uncheck the Example Applications option during your ColdFusion server installation. While the example applications are helpful to new ColdFusion developers, the CFML source code for these examples is freely available, so they present a tempting target for hackers in a production environment. The example applications were revised in ColdFusion 5 to make them more secure, but still there is rarely a good reason to have them on a production server. (continue reading…)