So far we have seen that to secure our shared hosting customers from each other we need to place them in a Sandbox limiting file system access, datasource access and disabling access to cfexecute, cfobject and CreateObject(JAVA/COM/.NET) . Typically I add cfregistry to the list of disallowed tags as well. While not strictly necessary for security (you are running ColdFusion with a non-privileged account, aren’t you?), the registry is a shared resource that is easily fragmented and has a limited size, so I just want to keep customers out.
cfdump
The problem we have now is that apart from the functionality we intended to disable we have inadvertently disabled some more functionality, including the cfdump tag. In the directory /WEB-INF/cftags/ are a number of .cfm templates that implement tags and one of them is dump.cfm. But since this tag is included much like a customtag would be included, it runs with the same permissions that a normal customtag would be running. And those permissions disable the use of CreateObject(JAVA), causing cfdump to throw an error when some datatypes are dumped.
The workaround (go ask Adobe for a solution) is to replace /WEB-INF/cftags/dump.cfm with a custom dump template. I have made the one I use available as a download. It isn’t pretty, it doesn’t dump Java objects (but shared hosting customers can’t create them anyway), but it does the job.
cfinterface
cfinterface is another one of the tags implemented in CFML in /WEB-INF/cftags/. If you try to use a component implementing an interface you will notice that this throws an error. Apparently we need to grant read and execute permissions on that directory to every Sandbox (you can adapt the script I posted before for that). I just ran into this this weekend when I updated my dump template to show interface information as well, so I guess that shows how much I use shared hosting myself.
The ColdFusion Administrator and Admin API
In ColdFusion 8 Adobe introduced multiple user accounts and permission delegation for the ColdFusion Administrator and the Admin API. I have my doubts about delegating access to the ColdFusion Administrator in a shared hosting environment since the delegation is based on functionality and not on Sandboxes. So that means you can delegate access to see certain features, such as the logfiles, but not certain features for a specific Sandbox, i.e. the logfiles of a specific customer. Since pretty much every feature in the Administrator I can delegate has security implications, I can not delegate anything.
With the Admin API the situation is even worse. Internally the Admin API has been implemented in CFML and it suffers from the same problem as cfdump: it uses cfobject and createobject(JAVA) functionality that we can not enable without giving users the ability to upgrade themselves to root administrator. The only way we can use them is in our own management scripts and as a backend invoked through some facade we need to write first.
Application scope variables
ColdFusion piggybacks its application scope variables on the Java application scope. This allows for an integration in the application scope between for instance ColdFusion and JSP code: variables you write in one are available in the other. The downside is that on the Java side the application scope is considered an instance wide scope and all data is accessible. That means that whatever customer A puts in the application scope is accessible to customer B. Put the following in your Application.cfc to see how that works:
<cfcomponent> <cfset this.name = "" /> <cffunction name="onRequestStart"> <cfdump var="#application#" /> <cfabort /> </cffunction> </cfcomponent> |
This sharing of the application scope is by design and as a result it is unsafe to store data in the application scope on a shared host.
Jonathan van Zuijlekom says:
The application scope variables are only accessible across applications if the application name is the same. I would advise to use a hard to guess application name
2008/12/15, 16:35Bradley Moore says:
Giving your application uncommon/hard to guess names is helpful, but it only prevents accidental access to your application scope. Targeted/Blanket attacks are possible without the knowledge of your application name.
Quick Attack Explaination:
// This works on any application on the same CF instance. Attacking my dev machine from itself! Oh, noes.
- Startup a few CF applications
- Create a new directory on the same CF instance.
- Create a new application named an empty string or be lazy and let ColdFusion default the value for you.
Application.cfc code:
- Create a new page and
- Don’t Panic
There is a bunch of stuff you could careless about, but you will also see every application name and variable stored within the application scope. The amusing bit is these are pointers, so we can also modify them. =(
This means anyone else on your shared CF instance can see/modify your application variables. This means you should not store your dsn login information, encryption keys, ssn, credit card data, etc in the application scope.
Similarly, if you do know another application name, then you can name your application to the same thing and access their application scope variables.
2008/12/15, 21:02Bradley Moore says:
Yarr, Application.cfc code should be <cfcomponent></cfcomponent>
2008/12/15, 21:04Jonathan van Zuijlekom says:
@Bradley: You’re right, using an empty Application.cfc lets you dump (and edit) all application variables.
Shouldn’t this “feature” be fixed?
2008/12/16, 10:15