Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB...

Application.cfm tips and Tricks

Michael Smith

President

TeraTech, Inc

ColdFusion, database & VB custom development and training.

http://www.teratech.com

800-447-9120Presentation copyright TeraTech 2002

TeraTech http://www.teratech.com

Speaker Information

Who am I? Michael Smith President of TeraTech, Inc Rockville MD

http://www.teratech.com/ ttWebReportServer, CFXGraphicserver

MDCFUG, CFUN-02, Fusebox Conf Articles in CFDJ, Fusion Authority CF_Underground IV Oct 27th

http://www.cfconf.org/cf_underground4/


Overview

What is Application.cfm Directory rules Error handler Application, Session and Client

variables Logon and Members only Application Setup Security


What is Application.cfm

Regular CFM file that is included ONCE at beginning of every request.

Spelt Application.cfm (capital A for Unix)

You could just do a CFINCLUDE at beginning of every template. Saves coding time


Directory Rules

CF will search for Application.cfm starting in current directory of request template.

Moves up directory tree to system root (eg C:/) until it finds one.

Even if you don’t want to use Application.cfm feature have a blank one to save processing time.


OnRequestEnd.cfm

OnRequestEnd.cfm is run at end of page request.

Opposite of Application.cfm Must be in same directory as

Application.cfm Not run after CFABORT


Traps

Can not span tags between Application.cfm and OnRequestEnd.cfm


Error handling Always have an error handler in

Application.cfm – CFERROR tag Never display default CF errors -

gives out SQL information and template paths

Instead email error to admin Don’t explain why attempt failed Can turn off for development IPs


Error handling codeIn Application.cfm:<cferror type="EXCEPTION"

template="error_exception.cfm" mailto=“michael@teratrech,.com">

In error_exception.cfm<CFMAIL to="#error.MailTo#"

from="[email protected]" subject="ColdFusion Error">#error.RemoteAddress##error.Template##error.DateTime##error.Diagnostics#

</CFMAIL>


Application variables

Global across pages Setup using CFAPPLICATION tag<CFAPPLICATION name="cfclass"

applicationtimeout="#createtimespan(1,0,0,0)#">

Use as application.variablename Lock your usage

<CFLOCK scope=“Application”> Beware max timeout in CF Admin


Session variables

Persistent between pages for ONE user. Use CFAPPLICATION tag:

<CFAPPLICATION name="cfclass" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,10,0)#">

Use as session.variablename Lock your usage

<CFLOCK scope=“Session”> Beware max timeout in CF Admin


Client variables

Persistent between pages for ONE user. In Application.cfm

<CFAPPLICATION name="cfclass" clientmanagement="yes“>

Use as client.variablename Use client variables in place of session

variables to avoid locking in CF 5. Store in a DB, NOT the registry Use WDDX for a complex variables Timeout set in CF Admin - Manually test

for less than 2 hours

Timeouts



<CFPARAM name=“client.last_access" default="#now()#">

<CFIF DateDiff("n", client.last_access, now()) gt 5>

<CFLOCATION url="/logon.cfm">

</CFIF>

<CFSET client.last_access = now()>


Members only

Want to protect subdirectories for members only

Check CGI.script_name for directory

Check if user is logged on using client variable

Might also check roles in more complex system.


Members Only Code

<CFPARAM name=“client.username" default=""><CFIF CGI.script_name contains "/private/"> <CFIF client.username is ""> <CFLOCATION url="/logon.cfm"></CFIF></CFIF>


Application Setup

Set request variables for dsn, webroot constants.

Request doesn’t need locking. Have different versions for

development, staging and production servers


Application Setup code

<CFSET request.InstallationLocation = CGI.SERVER_NAME>

<CFIF request.InstallationLocation EQ “www.myserver.com">

<CFSET request.dsn = “Mysite">

<CFSET request.urlhome = "http://#request.InstallationLocation#/admin">

<CFSET request.Rootpath ="/admin">


… More Setup code

<CFELSEIF request.installationlocation EQ "www.teratech.com">

<CFSET request.dsn = “Dev_Mysite">

<CFSET request.urlhome = "http://#request.InstallationLocation#/projects/mysite/admin">

<CFSET request.Rootpath ="/projects/mysite/admin/admin">

</CFIF>


Caching Data

Store application wide data in memory in application varialbes

Must lock write and reads Check to see if exists before

creating Query caching is easier to code


Caching Data code

<CFLOCK…>

<CFIF not isdefined(“application.myquery”>

<CFQUERY datasource=“#request.dsn#" name=“application.myquery“>

SQL… </CFQUERY>

</CFIF>


Copy Session to Request Session variables require locking,

request do not Copy session structure to a structure in

request scope in application.cfm Use request variables in code Update any that are changed See article How to sidestep locking on

MDCFUG www.cfug-md.org

/Articles/ RequestVariables.cfm


Authentication Stateless web - any page can call

another - this is good for open sites Hacker pages call your page with

false data Use CGI. HTTP_REFERER to

control who calls you Use CGI. CF_TEMPLATE_PATH

application.cfm control what is run.

Warning - Can be

spoofed by browser


Fake form submits

Hacker uses View Source in browser to save your HTML source to their machine

Edits form fields and form action URL and submits to your action page.

Can now change what record is edited or remove fields to generate errors

Can also remove any client side validation including _required fields and JavaScript from CFFORM.


Preventing Fake form submitsTo prevent fake form submits Check HTTP_REFERER is in your

domain

<CFIF CGI.HTTP_REFERER contains “http://www.mysite.com">

<CFELSE>

<CFABORT>

</CFIF>


Encrypt URLs

One way to protect URLs is to encrypt them on all links, form submits and JavaScript submits.

Use URLEncrypt() and URLDecrypt() functions from CFLib project http://www.cflib.org/

Can decrypt in Application.cfm


SQL hacking URL and Form parameters used in

SQL SELECT * FROM EMP WHERE ID

= #USERID# Extra SQL commands on SQL

Serverhttp://myserver/page.cfm?ID_VAR=7%3BDELETE

%20FROM%20MyCustomerTable

| VBA functions - shell() on Access xp_cmdshell in SQL Server

The Challenge

TechnologyTechnology


SQL hacking prevention use <CFQUERYPARAM> on all

SQL parameters check for ‘ and | etc in form and url

variables in Application.cfm Encrypt URL Variables


Protect CFINCLUDE and CFMODULE files Don’t let CFINCLUDE and

CFMODULE files be run standalone – they may do bad things or generate error messages

Protect using a naming convention/ subdirectory and test in application.cfm of CGI.script_name

Especially important for Fusebox applications with many include files

Code to protect CFINCLUDE files For Fusebox In Application.cfm:

<CFIF CGI.script_name contains “index.cfm”>



<CFELSE>

<CFABORT SHOWERROR="Protected page">

</CFIF> Non-Fusebox – check filename/directory


Subnet Auto-AuthenticationIn your application.cfm or header.cfm to be included in every

page.<CFIF cgi.script_name contains "/intranet/">

<cfif left(CGI.REMOTE_ADDR,11) is not "123.456.789">

<cfif not isdefined("session.authorized")>

<CFLOCATION URL=”http://www.mycompany.com/logon.cfm”>

<cfabort><cfelse>

<cfset session.authorized = TRUE>

</cfif></cfif>

Your protected links here </cfif>

Warning - spoofed IP numbers will get around this code


Custom Debug info

Variable and structure dump in OnRequestEnd.cfm Use CF_Dump or CF5 CFDump

tags to output all session variables or all cookies, etc.

http://www.smart-objects.com/docs.cfm?f=cf_dump.htm


Session Tracking

Who is logged on now Keep track of login times to see

who’s logged in now, can record activity and determine based on last activity or logoff option

Add userid and session info to a structure in application variable.


Back button hacking

Hacker uses back button to view sensitive information from a users browser

Consider disabling back button, especially on logout

<CFHEADER NAME="Expires" VALUE="06 Nov 1994 08:49:37 GMT">

<CFHEADER NAME="Pragma" VALUE="no-cache">

<CFHEADER NAME="cache-control" VALUE="no-cache, no-store, must-revalidate">


Datasource password

Don’t put datasource userid and password in CF Admin – if any template is compromised hacker can destroy data

Don’t hardcode in every CFQUERY call

Use request variables in application.cfm and encrypt it


Questions Questions? Email me at

[email protected]

Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB...

Documents

Transcript of Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB...