Hack Proofing ColdFusion

Hack Proofing ColdFusion

by Syngress

The only way to stop a hacker is to think like one!
ColdFusion is a Web application development tool that allows programmers to quickly build robust applications using server-side markup language. It is incredibly popular and has both an established user base and a quickly growing number of new adoptions. It has become the development environment of choice for…  See more details below


The only way to stop a hacker is to think like one!
ColdFusion is a Web application development tool that allows programmers to quickly build robust applications using server-side markup language. It is incredibly popular and has both an established user base and a quickly growing number of new adoptions. It has become the development environment of choice for e-commerce sites and content sites where databases and transactions are the most vulnerable and where security is of the utmost importance.
Several security concerns exist for ColdFusion due to its unique approach of designing pages using dynamic-page templates rather than static HTML documents. Because ColdFusion does not require that developers have expertise in Visual Basic, Java and C++; Web applications created using ColdFusion Markup language are vulnerable to a variety of security breaches.
Hack Proofing ColdFusion 5.0 is the seventh edition in the popular Hack Proofing series and provides developers with step-by-step instructions for developing secure web applications.

· Teaches strategy and techniques: Using forensics-based analysis this book gives the reader insight to the mind of a hacker
· Interest in topic continues to grow: Network architects, engineers and administrators are scrambling for security books to help them protect their new networks and applications powered by ColdFusion
· Unrivalled Web-based support: Up-to-the minute links, white papers and analysis for two years at solutions@syngress.com

Read More

Editorial Reviews

Eleven computer specialists contribute to this text for programmers on how to secure ColdFusion development. Coverage includes learning to think like a hacker, recognizing the top ColdFusion application hacks, securing ColdFusion tags and applications, client-side development and server-side configuration, securing the ColdFusion server and making adjustments after installation, secure development issues for the most popular operating systems that ColdFusion runs on, industry leading databases and their security pitfalls, complementary technologies and techniques to ensure security, and the enhanced security features of ColdFusion MX. Annotation c. Book News, Inc., Portland, OR (booknews.com)

Product Details

Elsevier Science
Publication date:
Product dimensions:
7.00(w) x 10.00(h) x 1.11(d)

Read an Excerpt

Working with Other Dangerous and Undocumented Tags The tags listed above, which are controlled within the ColdFusion Administrator, are not the only potentially dangerous functionality within ColdFusion’s arsenal. Here are some additional things to worry about as you build your application. The following tags and functions cannot be disabled through the Administrator. The only way to limit the use of these tags is to run your application inside an Advanced Security sandbox, and use that sandbox’s settings to control which tags and functions are available. (For more on Advanced Security, see Chapter 6.)

GetProfileString(), ReadProfileString()

GetProfileString() and ReadProfileString() are documented functions for reading and writing to *.ini files. These functions are great for creating and utilizing small, file-based persistent storage mechanisms, especially when storing such information in a database is impossible or not desired. You may also want to look at these functions if your ColdFusion application is tightly integrated with another application; the two apps may be able to share an .ini file containing common configuration information.

These functions are dangerous because they can read and write to sensitive system files. A hacker could use these functions to alter Windows files, or .ini files belonging to unrelated applications. This access could expose sensitive information to the hacker, or alter your system such that it will not boot!


GetTempDirectory() is a documented function; it returns the operating system ’s directory for storing temp files. A minor security threat, this function can expose to information about your system’sconfiguration to a hacker. The less a hacker knows, the better off you are.


GetTempFile() is a documented function. Unlike GetTempDirectory(), which simply returns information, GetTempFile() will actually create an empty, 0-byte file within the directory you specify. Even though each temp file is empty, it still takes up some room on disk for its listing in the directory. A hacker could use this function within a loop to create enormous amounts of these temp files, which has a remote possibility of consuming your disk space. The larger threat is to performance and stability, since any directory with huge amounts of files causes the operating system to crawl.

is a documented tag. It allows the ColdFusion server to temporarily execute as a user different from the one you specified in the Services Control Panel (Windows) or the start script (UNIX). This is extremely useful to provide short-term dynamic access to resources, but it also creates large security holes. If you are relying on your operating system’s security policy for protection, you’re not completely safe. This tag can bypass OS-level security by simply logging on as someone else—preferably someone who has more privileges!

CF_SetDataSourceUsername(), CF_GetDataSourceUsername(),

CF_SetDataSourcePassword(), CF_SetODBCINI(),CF_GetODBCINI()

CF_SetDataSourceUsername(), CF_GetDataSourceUsername(),

CF_SetDataSourcePassword(), CF_SetODBCINI(), and CF_GetODBCINI() are undocumented functions. These functions read and write the properties of a datasource, including the ability to change username and password. They are useful in specific situations, but mostly create a security hole. If a hacker can start changing login credentials for your database, your whole application may crash. A hacker could also use these tags to glean information about valid database logins, and use that information to hack your database.


CF_GetODBCDSN() is an undocumented tag. It lists all the ODBC datasources on the system, and is very, very useful to hackers who would like to break into your datasources.

CFusion_Encrypt(), CFusion_Decrypt()

CFusion_Encrypt() and CFusion_Decrypt() are undocumented functions. They perform the same function as the documented Encrypt() and Decrypt() functions, but use a different algorithm and produces different results. The result of CFusion_Encrypt() will only contain the numbers 0-9 and the letters A-F, but the result of Encrypt() can contain special characters. This is very useful for a hacker to attempt to unencrypt sensitive, encrypted data.

Read More

Customer Reviews

Average Review:

Write a Review

and post it to your social network


Most Helpful Customer Reviews

See all customer reviews >