Home | Features | Demo | Downloads | About Us | Support | Purchase

A Code Snippet to Help Protect Against Attacks

Posted At : June 30, 2009 6:24 PM | Posted By : Mary Jo
Related Categories: CFWebstore

Here's an easy code modification that is a nice security addition for sites, particularly older stores, and will help somewhat against the recent attacks. Please note that this is far from a comprehensive fix and depending on the level of access the hackers gained, may not help if you have already been attacked. See the links below for more detailed information on dealing with attacked sites for comprehensive details on cleaning up sites.

Version 6 contains a lot of additional coding to protect against XSS, SQL injection, session spoofing and other attacks, that makes it considerably harder to attack, and it is STRONGLY recommended that you upgrade to the latest release if at all possible. If you are running an older version, there's a greater chance that a hacker can get access to secure areas of your store and once they get in there, they have access to a lot of things that could compromise your site. Be sure to use strong passwords, change your username regularly, use SFTP if possible, etc. to keep your site secure, but this code helps ensure that they can't upload and hide a CFM file and run it on your server from a hidden subdirectory. In the Application.cfm file, replace this section of code (the exact file list may differ depending on your version):

<cfset directAccessFiles="#request.self#,sitemap.cfm,go.cfm,image.cfm">
<cfif not listFindNoCase(directaccessfiles,getfilefrompath(cgi.script_name))>
<cflocation url="#request.self#" addtoken="No">
</cfif>

with this code:

<cfif "#GetDirectoryFromPath(GetCurrentTemplatePath())#index.cfm" NEQ GetBaseTemplatePath()
AND "#GetDirectoryFromPath(GetCurrentTemplatePath())#sitemap.cfm" NEQ GetBaseTemplatePath()
AND "#GetDirectoryFromPath(GetCurrentTemplatePath())#go.cfm" NEQ GetBaseTemplatePath()
AND "#GetDirectoryFromPath(GetCurrentTemplatePath())#image.cfm" NEQ GetBaseTemplatePath()
AND "#GetDirectoryFromPath(GetCurrentTemplatePath( ))#admin\index.cfm" NEQ GetBaseTemplatePath()>
<cflocation url="/index.cfm">
</cfif>

Please note, if your store is not in your webroot directory, be sure to include the path to the store in the cflocation (such as url="/store/index.cfm"). Also depending on your version, the list of files allowed may be slightly different than these, so adjust as necessary.

Comments (8) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 6924 Views

Related Blog Entries

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
[Add Comment]
Keith's Gravatar which application file are you referring to that you add this code to there are several?
# Posted By Keith | 6/30/09 10:10 PM
Jon's Gravatar We got hacked today, on version 6.03. I am in the process of restoring files, but I was wondering - is this a vulnerable version of Version 6? I will change Application.cfm ASAP, but I am concerned that the site remains vulnerable.
# Posted By Jon | 7/1/09 5:59 PM
Mary Jo Sminkey's Gravatar @Keith - It would replace the lines of code as shown in the root Application.cfm file.
@Jon - Yes, that old a version can be vulnerable, and I'd highly recommend upgrading them to the latest release which has a lot of security improvements, not just against this type of attack, but other exploits as well. The yahoogroup has details about exactly what steps to take to lock down both your site, and your CF server, even if you aren't able to upgrade. But it's certainly highly recommended to keep sites upgraded, even if you just do it once or twice a year, not necessarily every release, that will go a long way to keeping your sites safe from intrusion.
# Posted By Mary Jo Sminkey | 7/1/09 10:38 PM
Paul's Gravatar We've been infected as well. Will this code replacement prevent the running of the malicious scripts on our servers again, or does it just prevent the writing of the malicious file.

I guess I'm still trying to figure out if there is a virus on our server that is running periodically and reinfecting these files or if there is a file being run remotely. Any ideas?
# Posted By Paul | 7/1/09 11:57 PM
Mary Jo Sminkey's Gravatar This code doesn't prevent writing malicious files, it will just help prevent the hacker from easily hiding them in subdirectories and running them from there, which seems to be his favorite method of attack. Please join the cfwebstore yahoogroup for more details on ways to lock down your server and prevent any future attacks, as well as for information on how to patch older versions.
# Posted By Mary Jo Sminkey | 7/2/09 6:47 PM
Christopher Walker's Gravatar @ of my clients got nailed. The last 5 or so lines of Apllication.cfm were replaced with a flash script
# Posted By Christopher Walker | 7/2/09 8:08 PM
Gerry Wooden's Gravatar Will this snippet work though if the hackers upload their own application.cfm file into the same folder as the index.cfm file? Doesn't coldfusion look in the current directory first for the application.cfm file?
# Posted By Gerry Wooden | 7/20/09 8:33 PM
Mary Jo Sminkey's Gravatar No, it won't protect it in that case, which is why this may only "help" protect against such an attack, it is far from a comprehensive fix.
# Posted By Mary Jo Sminkey | 7/21/09 9:22 PM
[Add Comment]
 
BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.
 
Dogpatch Software
8 Old Coach Ln, Carlisle, PA 17013
email: info-at-cfwebstore.com
 		 Last Updated: 03/10/2010
Questions, comments or problems about this site?
Copyright ©2010 Dogpatch Software. All rights reserved.