Adobe 38043740 - ColdFusion Standard - Mac, Manual, Page: 75 / 87

Share

60 pages before
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

Page: 75 / 87

Adobe 38043740 - ColdFusion Standard - Mac Manual Download Page 75

75

Section 6: ColdFusion Server Services

ColdFusion provides a large number of services for developers to take advantage of. Most applications do not
make use of all these services, and can therefore be disabled to improve security.

6.1 Servlets and Servlet Mappings in web.xml

All JEE web applications have a file in the

WEB-INF

directory called

web.xml

this file defines the servlets and

servlet mappings for the JEE web application. A servlet mapping defines a URI pattern that a particular servlet
responds to. For example the servlet that handles requests for

.cfm

files is called the

CfmServlet

the servlet

mapping for that looks like this:

<servlet-mapping id="coldfusion_mapping_3">
<servlet-name>CfmServlet</servlet-name>
<url-pattern>*.cfm</url-pattern>
</servlet-mapping>

The servlets are also defined in the

web.xml

file, the

CfmServlet

is defined as:

<servlet id="coldfusion_servlet_3">
  <servlet-name>CfmServlet</servlet-name>
  <display-name>CFML Template Processor</display-name>
  <description>Compiles and executes CFML pages and tags</description>
  <servlet-class>coldfusion.bootstrap.BootstrapServlet</servlet-class>
  <init-param id="InitParam_1034013110656ert">
  <param-name>servlet.class</param-name>
  <param-value>coldfusion.CfmServlet</param-value>
  </init-param>
  <load-on-startup>4</load-on-startup>
</servlet>

We can remove servlet mappings in the

web.xml

to reduce the surface of attack. You don’t typically want to

remove the CfmServlet or its servlet mapping, but there are other servlets and mappings that may be removed.

«
...
73
74
75
76
77
...
»

Summary of Contents for 38043740 - ColdFusion Standard - Mac

Page 1: ...mple file system paths for installation you do not need to use the same example installation paths provided in this guide 1 2 Operating Systems and Web Servers This guide focuses on Windows 2008 IIS 7 and Redhat Enterprise Linux RHEL 6 3 Apache 2 2 Many of the suggestions presented in this document can be extrapolated to apply to similar Operating Systems and Web Servers Contents Section 1 Introdu...

Page 2: ...ment This document does not detail security settings for the Operating System the Web Server or Network Firewalls It is focused on security settings for the ColdFusion server only All suggestions in this document should be tested and validated on a non production environment before deploying to production ...

Page 3: ... specified on the Adobe com download page On Mac OSX To obtain the MD5 checksum of a file on Mac OSX launch Terminal app and type md5 filename On Linux To obtain the MD5 checksum of a file on RedHat Enterprise Linux open a shell and type md5sum filename On Windows Windows installations do not include a MD5 checksum verifier by default Microsoft provides a free MD5 checksum verifier called sigcheck...

Page 4: ...ccess control Setup a dedicated website for CF administrator 2 2 1 Create Dedicated User Accounts Create a new User for the ColdFusion Service to Run As in the screenshot below we call this user cfusion choose a unique username that may not be easily guessed Create ColdFusion Service User Account ...

Page 5: ...5 ...

Page 6: ...ssion Host server If you are setting up multiple instances of ColdFusion for different applications you will want to create dedicated user accounts for each instance to isolate them from each other In addition each IIS application pool can have a dedicated user account typically each website in IIS is assigned its own application pool If the new users were added to any default groups such as Users...

Page 7: ...uide it is mapped to drive f Create a directory to contain the web sites for example f web and then create a sub directory to house each web site 2 2 3 Grant the Permission to Web Site Root Directories Right click on the Web site partition folder eg f web and select properties Select the Security tab and click the Advanced button ...

Page 8: ...8 In the Advanced Security Settings Dialog click the Edit Button Uncheck the checkbox labeled Include inheritable permissions from this object s parent A confirmation box will appear select remove ...

Page 9: ... or equivalent users and groups Full Control iisservice Your Application Pool Identity User List folder read data Read attributes Read extended attributes Read permissions IUSR the anonymous authentication account List folder read data Read attributes Read extended attributes Read permissions ...

Page 10: ...nnecessary privileges Check the Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object checkbox to propagate this setting to all sub folders and files existing or created below this folder Select the Auditing tab in the Advanced Security Settings dialog Click the Edit button and ensure that some level of auditing exists Auditing can ...

Page 11: ...11 2 2 4 Add Remove IIS Server Roles On a clean Windows 2008 install IIS may need to be installed This is done by opening the Server Manager and selecting Roles ...

Page 12: ...12 Next Click Add Roles and select the checkbox next to Web Server IIS ...

Page 13: ... components called Role Services ColdFusion requires that the ASP NET CGI ISAPI Extensions and ISAPI Filters Role Services are selected After we have configured the ColdFusion 10 IIS connection we can actually remove the ASP NET and CGI Role Services ...

Page 14: ... Services and remove any that may not be necessary for example Directory Browsing You may find other Role Services to be useful or necessary such as Logging Tools HTTP Redirection Request Filtering and IP and Domain Restrictions ...

Page 15: ...in IIS Manager and then click Set Application Pool Defaults in the Actions menu This allows you to change the defaults used when a new Application Pool is created By default each new web site in IIS gets it s own Application Pool Remove any unused application pools such as the one created by default Change the NET Framework Version to No Managed Code if your web sites do not require NET ...

Page 16: ...16 Under Process Model change the Identity to be the IIS user you created for example iisservice You will be prompted for the password of this user ...

Page 17: ...may be cases where you want to change this to another account for example if you want to isolate between multiple web sites or applications The IUSR account is inherently a member of the Users group which may allow for additional unnecessary access to files 2 2 8 Setup Request Filtering Make sure that you have the Request Filtering Role Service for IIS installed Under the IIS root applicable for a...

Page 18: ... api is accessed through a remote cfc function call then use another method to protect this uri eg IP restriction CFIDE AIR AIR Sync API Usually unless AIR sync API is used CFIDE appdeployment Yes CFIDE classes Contains java applets for cfgrid cftree and cfslider Usually unless java applets are used CFIDE componentutils CFC Documentation viewer Yes CFIDE debug Used when debugging is enabled on the...

Page 19: ...r Yes CFIDE probe cfm You can configure probes in the ColdFusion administrator which are used to monitor a URL for failures This will throw an exception if not run over 127 0 0 1 Yes however if you want to use probes you should create a web site that only listens on 127 0 0 1 and remove this block CFIDE scheduler Contains an interface for scheduled task event handlers Does not need to be accessibl...

Page 20: ...password and also an allowed IP Enabling this feature can open up a large amount of security risk to the application server Yes CFIDE websocket API for web socket listener CFCs Does not need to be open via the web server if used Yes CFIDE wizards Possibly used for IDE integration not needed on production Yes CFIDE GraphData Used to render cfgraph and cfchart assets Only if cfchart and cfgraph is n...

Page 21: ...n of ColdFusion you are running Ideally we could block all CFIDE however if you use cfchart the generated graphics are rendered from CFIDE GraphData cfm It is not possible using request filtering to deny the URI CFIDE but then allow CFIDE GraphData cfm for example If you are not using cfchart and do not need access to any of the URIs below you may simply deny CFIDE instead of listing each sub dire...

Page 22: ...tains configuration data used by the java application server The Tomcat connector will block this already but you can block it at the web server level as well Yes cfformgateway Used for cfform format flash Only if Flash Forms are not used flex2gateway Flex Remoting Only if Flex Remoting is not used cfform internal Used for cfform format flash Only if Flash Forms are not used flex internal Flex Rem...

Page 23: ... WSRP Usually unless WSRP is used svn If you use subversion to deploy your ColdFusion applications you can block the svn folders which may allow source code disclosure Yes 2 2 9 Create a Website For ColdFusion Administrator First create a self signed certificate or preferably utilize a certificate from a trusted certificate authority by clicking on the Server Certificates icon under the IIS root C...

Page 24: ...7 0 0 1 or another IP address only accessible to system administrators Select HTTPS for the protocol and select the self signed certificate Consider disabling anonymous access to this site and require web server authentication for an additional layer of protection and auditing Next Require SSL Connections for this website by double clicking on the SSL Settings icon for the cfadmin website ...

Page 25: ...sion Administrator Site Because we have specified that the URI CFIDE administrator is blocked on a global level using IIS Request Filtering we need to enable that URI only on our cfadmin web site To do this click on the cfadmin website under sites and click on Request Filtering Select the URL tab and click on the rule matching CFIDE administrator and click the Remove button ...

Page 26: ...26 ...

Page 27: ...se Linux Create separate partitions for the web root s in this guide we will use web as the mount point for our web sites partition please choose a unique mounting point name Select a minimum set of packages it is recommended that you do not install a graphical desktop environment Choose to enable SELinux in Enforcing mode during the installation process 2 3 3 Update Installed Software and Remove ...

Page 28: ... find a list of these module by running fgrep LoadModule etc httpd conf httpd conf Some modules that you may be able to remove include mod_imap mod_info mod_userdir mod_status mod_cgi mod_autoindex See Appendix A 7 and A 8 for more information on securing the Apache Web Server 2 3 5 Create users and groups for ColdFusion and Apache Create a new group to contain both Apache and ColdFusion in this g...

Page 29: ...50 web Note the permission 750 grants rwxr x permission meaning owner cfusion has full control while the group webservices only has read and execute permission execute permission is needed to allow directory traversal by the user Most applications will require some write permission under the web root you can change owner to root by running chgrp root web path for files and directories that do not ...

Page 30: ... CFIDE Next lets create a virtual host for the ColdFusion administrator website This example uses the self signed certificate generated during installation it is recommended that you use a signed certificate instead VirtualHost 127 0 0 1 443 ServerName localhost DocumentRoot web cfadmin wwwroot SSLEngine on SSLCertificateFile etc pki tls certs localhost crt SSLCertificateKeyFile etc pki tls privat...

Page 31: ...and will create or overwrite password file in the specified location and create a user named petefreitag in group cfadmins To add more users omit the c flag Next lets specify permissions such that only root can write to this file and apache can only read it chown root apache etc httpd cfadmin digest pwd chmod 640 etc httpd cfadmin digest pwd Now add the following to the httpd conf file Location CF...

Page 32: ...e ColdFusion 10 Installer This guide covers the standard Server configuration option and does not cover installation as a WAR or EAR file consult your JEE server vendor for installation specifics The option to install ColdFusion in standalone or multiserver mode no longer exists as it did in previous versions which allows ColdFusion 10 to use the same core directory structure even if multiple inst...

Page 33: ...33 ...

Page 34: ...34 Do not install ColdFusion 10 ODBC Services ColdFusion 10 Admin component for Remote Start Stop or Documentation Select only the subcomponents that are required for your application ...

Page 35: ... access ColdFusion Administrator The Secure Profile option is new in ColdFusion 10 and provides a more secure foundation of default settings You can review the settings it toggles here http www shilpikhariwal com 2012 04 coldfusion 10 presents secure profile html ...

Page 36: ...36 Select an install directory a non standard directory location on a non system partition is preferred ...

Page 37: ...usion 10 to the web site If you are installing on Linux with SELinux enabled hold off on installing the apache connector this is done manually later on in this guide For maximum security consider running the web server and ColdFusion on separate physical servers One way to separate the public facing web server and the ColdFusion server is by using a reverse proxy In a reverse proxy setup the ColdF...

Page 38: ...38 ...

Page 39: ...39 Choose a strong password and unique username for the ColdFusion administrator Strong passwords should contain a random mix of case numbers special characters and at least 8 characters in length ...

Page 40: ...40 You may consider checking the checkbox to allow ColdFusion to check for updates when you login to ColdFusion administrator note that it will not install the updates only check for new updates ...

Page 41: ...t java jar coldfusion home cfusion hf updates hotfix_XXX jar Replace hotfix_XXX jar with the filename of the hotfix jar you are installing and follow the prompts The installer will typically attempt to restart ColdFusion when done you can however disable that see documentation for details You may need to reinstall the IIS connectors at this point consult the hotfix release notes 4 1 2 Setup Permis...

Page 42: ...lsewhere Note if you choose to run Anonymous Authentication through the Application Pool user then IUSR does not need permission to these files Note if you are setting up multiple instances of ColdFusion or multiple connectors you will need to repeat this step for each connector Each connector instance is placed in a subdirectory of coldfusion home config wsconfig with a number starting with 1 by ...

Page 43: ... user you created cfusion in the guide example The installation creates a service named ColdFusion 10 Application Server which runs the initial ColdFusion instance Right click the service click Properties and select the Log On tab to specify the username and password for the account you created Restart the ColdFusion 10 Service ...

Page 44: ...olr or NET ensure that their services run as the ColdFusion user account as well If you installed a subcomponent but are not using it yet you can change the service Startup type to Disabled 4 1 4 Remove CFIDE and cfdocs virtual directories added by installer ...

Page 45: ...virtual directory in each site that relies on the assets in there Here s a short list of tags or features that may require CFIDE scripts cfajaxproxy cfcalendar cfchart HTML5 cfdiv cfform cfgrid cflayout cfmediaplayer cfmenu cftextarea cfpod cfprogressbar cfslider cftooltip cfwindow In this guide we choose a virtual directory mapping of cf scripts but you should choose a unique mapping name for you...

Page 46: ...e Extensions that usually can be blocked check with developers first Purpose Safe to Block Executes CFML templates same as cfm files The cfml file is not typically used by developers if you don t use cfml block this file extension JavaServer Pages Yes if your applications do not require JSP Java Web Services allows you to easily write and deploy SOAP web services in Java similar to a CFC Yes if no...

Page 47: ...ngs that are not used may be removed Note that you should also block the removed extensions using Request Filtering as shown in the previous section Keep in mind that if you remove the mapping for a source file such as cfc the source code may be downloaded when requested if the extension has not been blocked using Request Filtering or some other method ...

Page 48: ...NET Once you have all websites configured in IIS you may consider removing the IIS Role Services ASP NET NET Extensibility and CGI which are required by the connector installer however may not be needed at runtime This approach while it may provide additional security by allowing removal of unused software does have two drawbacks First this is not a procedure that is officially documented or suppo...

Page 49: ...by performing an md5sum on the hotfix_XXX jar file see that it matches the value found in Adobe ColdFusion update feed https www adobe com go coldfusion updates If the md5 checksum matches install the hotfix opt coldfusion10 jre bin java jar opt coldfusion10 cfusion hf updates hotfix_XXX jar Replace hotfix_XXX jar with the filename of the hotfix jar you are installing and follow the prompts The in...

Page 50: ...y run the hotfix installer by root you can setup more restrictive file security Now to allow access Apache to serve files in the CFIDE we need to ensure that apache has execute permissions on all parent folders so that it can traverse the directory structure chown cfusion webservices opt coldfusion10 chown cfusion webservices opt coldfusion10 cfusion chown cfusion webservices opt coldfusion10 cfus...

Page 51: ...mands that begin with chcon or setsebool First create an empty log file touch opt coldfusion10 config wsconfig 1 mod_jk log And an empty shared memory file touch opt coldfusion10 config wsconfig 1 jk_shm Now lets apply proper file permissions to the connector directory chown R cfusion webservices opt coldfusion10 config wsconfig 1 chmod R 640 opt coldfusion10 config wsconfig 1 chmod 750 opt coldfu...

Page 52: ...e encouraged to pick a unique value for this alias Add the following to your httpd conf file Alias cf scripts opt coldfusion10 cfusion wwwroot CFIDE scripts In the above line we have created a virtual mapping cf scripts and pointed it to the file path corresponding to the CFIDE scripts directory You will need to specify the mapping you used in the ColdFusion administrator in the Default ScriptSrc ...

Page 53: ... been updated To revert to the default jvm replace jvm config with jvm config backup and restart ColdFusion 4 2 7 Setup Auditing First ensure that auditd is installed and configured to meet your requirements in etc audit auditd conf Use auditctl to add auditing to file system operations for example auditctl w opt coldfusion10 p wax k cf10 The above will audit all write attribute change and execute...

Page 54: ... the principal of least privilege deny access to any tags functions datasources file paths and IP ports that do not need to be accessed by code in the particular sandbox The sandbox of the requested CFM CFC is the active sandbox for all code executed in a particular request If you are running Standard Edition you can still setup a sandbox but you cannot create multiple sandboxes 4 3 2 Remove Tomca...

Page 55: ...Edit the file cf instance home runtime conf server xml and locate the line similar to Server port 8007 shutdown SHUTDOWN Change 8007 to 1 to disable this feature or to random port number Tomcat should only listen on 127 0 0 1 for this port however you should also ensure that your firewall does not allow external connections to this port Also consider changing the shutdown command that is the value...

Page 56: ... 3 redirectPort 8445 tomcatAuthentication false requiredSecret yourSecret Next edit the corresponding workers properties file eg cf home config wsconfig 1 workers properties and add a line worker cfusion secret yourSecret 4 3 6 Additional Tomcat Security Considerations Consult the Tomcat 7 Security Considerations document http tomcat apache org tomcat 7 0 doc security howto html for additional tom...

Page 57: ...ossible Any templates such as scheduled tasks that might take longer should use the cfsetting tag For example cfsetting requesttimeout 60 Use UUID for cftoken Unchecked Checked The default cftoken values are sequential and make it fairly easy to hijack sessions by guessing a valid CFID CFTOKEN pair This setting is not necessarily required if J2EE session are enabled however it doesn t hurt to turn...

Page 58: ...refix serialized JSON with Unchecked Checked This setting helps prevent JSON hijacking and should be turned on ColdFusion AJAX tags and functions automatically remove the prefix If developers have written CFC functions with returnformat json or use the SerializeJSON function the prefix will be applied and should be removed in the client code before processing Developers can override this setting a...

Page 59: ... accommodate the memory limit Watch configuration files for changes check every N seconds Unchecked Unchecked If an attacker is able to modify the configuration of your ColdFusion server their changes can become active within a short period of time when this setting is enabled If your configuration requires this setting to be enabled if using WebSphere ND vertical cluster for example increase the ...

Page 60: ...is turned on it uses a regular expression defined in the file neo security xml to replace input variables containing following tags object embed script applet meta with InvalidTag This setting does not restrict any javascript strings that may be injected and executed iframe tags or any XSS obfuscation techniques See Appendix A 13 for more information on XSS attack vectors Default ScriptSrc Directo...

Page 61: ...n version in use Site wide Error Handler Blank or CFIDE administra tor templates secu re_profile_error cf m Specified The default site wide error handler may expose information about the cause of exceptions Specify a custom siite wide error handler that discloses the same generic message to the user for all exceptions Be sure to log the actual exception Maximum number of POST request parameters 10...

Page 62: ...d also be able to specify a HTTP Request size limit on your web server Request Throttle Threshold 4MB 1MB ColdFusion will throttle any request larger than this value If your application requires a large number of concurrent file uploads to take place you may need to increase this setting Request Throttle Memory 200MB 100MB on 32 bit installations On a 32 bit installation the default value would be...

Page 63: ...d under load causing the CPU time of all requests to increase significantly known as context switching Find a good medium by performing load tests against your production environment use the value that has the ability to serve the most requests per second Maximum number of simultaneous Flash Remoting requests 5 1 if not using Flash Remoting otherwise tuned If your applications do not use flash rem...

Page 64: ...ess you are using cfreport heavily Maximum number of threads available for CFTHREAD 10 1 if not using cfthread tuned otherwise Set this value to 1 if you are not using cfthread If you do use cfthread setting a value too high can lead to context switching Timeout requests waiting in queue after 60 seconds 5 seconds Match Request Timeout This setting can generally be set equivalent to the Timeout Re...

Page 65: ... on the system partition it is not recommended to use the Registry 5 4 Server Settings Memory Variables Setting Default Recommendation Description Use J2EE session variables Unchecked Checked if J2EE interoperability required When checked ColdFusion will use the session management of the underlying JEE container eg Tomcat instead of it s own CFID CFTOKEN Enable Session Variables Checked Unchecked ...

Page 66: ...1 ColdFusion will set the session cookie as a browser session cookie which is valid as long as the users browser window is open As of this writing you cannot specify a value of 1 using ColdFusion administrator however you can set this value by editing the sessionCookieTimeout value in the neo runtime xml file HTTPOnly Checked Checked Session cookies should always be marked as HTTPOnly to prevent J...

Page 67: ... Setting Default Recommendation Description Enable SSL socket connections to mail server Unchecked Checked if supported Consider enabling SSL or TLS encryption for sending mail with ColdFusion Enable TLS connection to mail server Unchecked Checked if supported Consider enabling SSL or TLS encryption for sending mail with ColdFusion 5 6 Data Services Data Sources Setting Default Recommendation Desc...

Page 68: ...are not commonly used in web applications Ensure that the database user that ColdFusion connects as also has limited permissions to only what is necessary 5 7 Data Services Flex Integration Setting Default Recommendation Description Enable Flash Remoting support Checked Unchecked if not used Disable Flash Remoting if it is not being used Enable RMI over SSL for Data Management Unchecked Checked if...

Page 69: ...disclosed when exceptions occur Enable AJAX Debug Log Window Unchecked Unchecked Debugging should not be enabled on a production server Enable Request Debugging Output Unchecked Unchecked Debugging should not be enabled on a production server 5 9 Debugging Logging Debugger Settings Setting Default Recommendation Description Allow Line Debugging Unchecked Unchecked Debugging should not be enabled o...

Page 70: ... archives 10 Larger When a log file reaches the Maximum File Size 5000KB by default it is archived When the maximum number of archives is reached for a particular log file the oldest log file is deleted Some security compliance regulations require that log files are kept for a minimum period of time Ensure that this value is high enough to retain log files for the required duration Use operating s...

Page 71: ...Default Recommendation Description ColdFusion Administration Authentication Separate user name and password authentication Separate user name and password authentication Using separate usernames and passwords allows you to specify which parts of the ColdFusion administrator each user may use Password Seed Generate a Cryptographically Secure Random Value The password seed is used to generate an enc...

Page 72: ...es not contain a ServletMapping for the RDSServlet 5 14 Security Sandbox Security Setting Default Recommendation Description Enable ColdFusion Security Unchecked Checked Sandboxes allow you to lock down which CFML source files have access the file system tag function execution datasource access and network access It is highly recommended that you setup a sandbox or multiple sandboxes for your appl...

Page 73: ...iring maximum security Allowed IP Addresses for ColdFusion Administrator access 127 0 0 1 or other internal administrative IP addresses Specify to limit which IP addresses may connect to the ColdFusion administrator 5 16 Server Update Updates Settings Setting Default Recommendation Description Automatically Check for Updates Checked Check for ColdFusion updates every time you login to ColdFusion a...

Page 74: ... go coldfusion updates HTTPS version of url or specify an internal URL Change the default URL to https to avoid a spoofed update If your network security policy does not allow external internet connection you can maintain a internal update URL which could be updated manually ...

Page 75: ... servlet mapping id coldfusion_mapping_3 servlet name CfmServlet servlet name url pattern cfm url pattern servlet mapping The servlets are also defined in the web xml file the CfmServlet is defined as servlet id coldfusion_servlet_3 servlet name CfmServlet servlet name display name CFML Template Processor display name description Compiles and executes CFML pages and tags description servlet class ...

Page 76: ...RDS Servlet Remove the RDS Servlet mapping servlet mapping id coldfusion_mapping_9 servlet name RDSServlet servlet name url pattern CFIDE main ide cfm url pattern servlet mapping Remove the RDS Servlet definition servlet id coldfusion_servlet_8789 servlet name RDSServlet servlet name display name RDS Servlet display name servlet class coldfusion bootstrap BootstrapServlet servlet class init param ...

Page 77: ...by cfchart and the deprecated cfgraph tags Remove Servlet Mappings that point to the GraphServlet servlet mapping id coldfusion_mapping_2 servlet name GraphServlet servlet name url pattern CFIDE GraphData url pattern servlet mapping servlet mapping id coldfusion_mapping_11 servlet name GraphServlet servlet name url pattern CFIDE GraphData cfm url pattern servlet mapping 6 5 Disabling Flash Remotin...

Page 78: ...rms cfform format flash you can disable the servlet mappings used to serve flash forms Remove flash form servlet mappings servlet mapping id coldfusion_mapping_13 servlet name CFFormGateway servlet name url pattern CFFormGateway url pattern servlet mapping servlet mapping servlet name CFInternalServlet servlet name url pattern cfform internal url pattern servlet mapping servlet mapping servlet nam...

Page 79: ...e cfr mapping on the web server 6 8 Remove WSRP Servlet Mapping The WSRP Servlets and Filters are used to support Web Services for Remote Portlets a SOAP based API for serving portlets If this feature is not used the web services Remove the WSRPFilter Servlet Mapping servlet mapping servlet name WSRPProducer servlet name url pattern WSRPProducer url pattern servlet mapping 6 9 Disabling the CFFile...

Page 80: ...that point to the CFCServlet to the CFForbiddenServlet Change the servlet mappings servlet mapping id coldfusion_mapping_8 servlet name CFCServlet servlet name url pattern cfc url pattern servlet mapping servlet mapping id coldfusion_mapping_4 servlet name CFCServlet servlet name url pattern cfc url pattern servlet mapping Change to the following servlet mapping id coldfusion_mapping_8 servlet nam...

Page 81: ...81 Note it is important that you do not delete these mappings as this will allow your CFC source code to be downloaded ...

Page 82: ...red or to limit certain URIs to HTTP POST over a secure SSL connection security constraint display name POST SSL display name web resource collection web resource name POST ONLY SSL web resource name url pattern post url pattern http method POST http method web resource collection user data constraint transport guarantee CONFIDENTIAL transport guarantee user data constraint security constraint sec...

Page 83: ...ttp technet microsoft com en us security default aspx RedHat Security http www redhat com security updates Changelog for Apache 2 2 web server http www apache org dist httpd CHANGES_2 2 To keep updated with ColdFusion 10 updates you can use the server update feature in ColdFusion administrator Consider setting up an instance to email you when new updates are released You should also consider follo...

Page 84: ...tree com blog index cfm mode entry entry 28ED0616 50DA 0559 A0DD2E158FF884F3 A 5 ColdFusion MX with SELinux Enforcing http www ghidinelli com 2007 12 06 coldfusion mx with selinux enforcing A 6 Tips for Securing Apache http www petefreitag com item 505 cfm A 7 Apache Security by Ivan Ristic 2005 O Reilly ISBN 0 596 00724 8 A 8 Tips for Secure File Uploads with ColdFusion http www petefreitag com i...

Page 85: ...TPS Hypertext Transfer Protocol Secure Encryption layer for HTTP HTTP Hypertext Transfer Protocol SSH Secure Shell Protocol used to connecting to a remote server typically on unix NTFS New Technology File System File System for Windows which allows for fine grained ACL ACL Access Control List XML Extensible Markup Language JSP Java Server Page JWS Java Web Service CFML ColdFusion Markup Language ...

Page 86: ...86 RDS Remote Development Services XSS Cross Site Scripting CSRF Cross Site Request Forgery Also referred to as XSRF CFC ColdFusion Component IP Internet Protocol ...

Page 87: ...rvalds in the U S and other countries Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and or other countries Red Hat is a trademark or registered trademark of Red Hat Inc in the United States and other countries Java is a trademark or registered trademark of Sun Microsystems Inc in the United States and other countries UNIX is a re...

Reviews:

No comments