http://coldfusion.com logo
Join Slack
Powered by
Does anyone know how we should secure `<cfexecu...
# cfml-beginners
h
Does anyone know how we should secure 
<cfexecute>
tag against the command shell injection attack?
b
@hpeter16 By being very careful about what you allow in the 
name
and 
arguments
attributes.
Is there a specific sort of attack you're worried about or that you've been found vulnerable to?
h
Nothing serious...I just came to one article where they say 
We recommend that ColdFusion _Sandbox Security_ is enabled and sensitive tags such as <cfexecute> and <cfregistry> be disabled by default.
but no mentions of how we can secure that in case if we use those tags so out of curiosity want to know.
b
That really just means that those tags have the potential to be abused and affect the entire system outside of CF
If your app requires the use of those tags, then you must do so judiciously, keeping the potential for security issues in mind
Sandbox security is often times used in shared hosting where the person who owns the server doesn't necessarily trust the people deploying the code! So a shared CF host would likely lock down a tag like that completely.
If you control this server, just ensure any use of cfexecute doesn't allow a malicious user to control its input to run arbitrary commands.
So
Copy code
<cfexecute name="ping" arguments="google.com">
would be pretty hard to hack
But
Copy code
<cfexecute name="ping" arguments="#url.hostname#">
would be very easy to hack by providing something like 
localhost && sudo bad thing here
in the URL
I actually don't know for sure if that would work ☝️ but hopefully you get the picture
h
Yes, that is completely making sense, and thanks for your reply...But If we have hardcoded values for arguments then it's safe to use or it's better to have it somewhere in the config file?
b
It's really not possible to answer that without knowing how you're using the tag. The more dynamic you make, the more possibilities you introduce for the values to get modified on the fly maliciously.
👍 1
3 Views
Open in Slack
PreviousNext
Powered by