Securing Custom Tags and Include files - Security Series #2
Well my first security post was much more verbose than I originally intended. I hope I did not scare anyone off. I can sometimes be wordy.
This time I promise I will keep things shorter. Let's see if I can keep my promise. Today I want to discuss a very simple topic.
Many of us use Custom tags and Include files in our ColdFusion template files (CFMs). It is very common to see code like this:
<body>
<!--- Include the header file --->
<cfinclude template="includes/header">
<!--- Include a custom tag for formatting any error messages that come in on the URL --->
<cfif IsDefined("url.error")>
<cfmodule template="includes/error.cfm" errorMsg="url.Errors">
</cfif>
<!--- Show Form --->
<cfform action="">
...
</cfform>
</body>
Now, simplicity aside, the code above is just fine. The issue I see is in the "includes" directory. Is the includes directory in the publicly accessible area of the website? Can I get to the error.cfm by visiting http://www.domainanme.com/includes/error.cfm?
In most cases, you do not want your users to be able to access your custom tags or include files directly. This is a security issue and it is just bad form because they will usually generate errors. It is a security issue because hackers can use the error message produced by the the include files or custom tags to glean information about your site and use that to figure out exploits, possibly even against that include file itself. Some developers still use Custom Tags and includes for things like Credit Card validation, password verification, form validation and other repetitive security tasks. If the hacker can look into those files, he can figure out quite a bit.
Fortunately, there are two very easy fixes for this issue.
- Move your includes folder(s) out of the public side of the site. Put them somewhere behind the webroot so they are inaccessible from direct access. Then set up a ColdFusion custom mapping to them using the same folder name. So in the example above, my mapping would be "/includes". ColdFusion Mappings are not accessible via the URL but they are accessible via <cfinclude>, <cfmodule>, Custom tag systax(<cf_tagName>) <cfinvoke>, <cfcreateobject> and CreateObject(). ColdFusion mappings can be set up by your administrator in the ColdFusion Administrator pages or, in ColdFusion 8, they can be set up in your Application.cfc.
- If for some reason ColdFusion mappings are not an option for you, then there is an easy way to secure your custom tags and include files that are web accessable yet should not be accessed directly. That way is to first, make sure they are in a directory of their own and next to add an Application.cfm file to that directory with a <cfabort> statement in it. If anyone tries to access the page directly, the <cfabort> will be executed, however if you call the include file with a <cfinclude>, <cfmodule>, or with Custom tag systax(<cf_tagName>) the Application.cfm will be ignored.
Jason,
I am using the CF8 ajax layout tools and use the source attribute all the time with my cfpods and cfwindows.
On one of my projects I am on a shared host and don't think I have access to any folder structure below the root. Do you think I could use the mixture of includes folder and application.cfm you described in that instance to protect the source pages from opening outside the RIA?
@Michael - Actually, CF8 added a new function, verifyClient, that does just this. It only lets you run a file, or CFC method, via Ajax. It's not perfect, but will block most attempts. See these urls:
http://www.coldfusionjedi.com/index.cfm/2007/7/31/...
http://www.coldfusionjedi.com/index.cfm/2007/8/7/M...
@Michael - What Ray said :)
@Ray - Thanks for that info. VerifyClient needs to be on my list of security topics to research.
That's great. I anxiously await the next installment in your series.
VerifyClient sounds like it will be more than sufficient for my needs since it will be on a intranet and my main concern is keeping my users from getting lost.