Read an Excerpt

Working with Other Dangerous and Undocumented Tags The tags listed above, which are controlled within the ColdFusion Administrator, are not the only potentially dangerous functionality within ColdFusion’s arsenal. Here are some additional things to worry about as you build your application. The following tags and functions cannot be disabled through the Administrator. The only way to limit the use of these tags is to run your application inside an Advanced Security sandbox, and use that sandbox’s settings to control which tags and functions are available. (For more on Advanced Security, see Chapter 6.)

GetProfileString(), ReadProfileString()

GetProfileString() and ReadProfileString() are documented functions for reading and writing to *.ini files. These functions are great for creating and utilizing small, file-based persistent storage mechanisms, especially when storing such information in a database is impossible or not desired. You may also want to look at these functions if your ColdFusion application is tightly integrated with another application; the two apps may be able to share an .ini file containing common configuration information.

These functions are dangerous because they can read and write to sensitive system files. A hacker could use these functions to alter Windows files, or .ini files belonging to unrelated applications. This access could expose sensitive information to the hacker, or alter your system such that it will not boot!

GetTempDirectory()

GetTempDirectory() is a documented function; it returns the operating system ’s directory for storing temp files. A minor security threat, this function can expose to information about your system’sconfiguration to a hacker. The less a hacker knows, the better off you are.

GetTempFile()

GetTempFile() is a documented function. Unlike GetTempDirectory(), which simply returns information, GetTempFile() will actually create an empty, 0-byte file within the directory you specify. Even though each temp file is empty, it still takes up some room on disk for its listing in the directory. A hacker could use this function within a loop to create enormous amounts of these temp files, which has a remote possibility of consuming your disk space. The larger threat is to performance and stability, since any directory with huge amounts of files causes the operating system to crawl.

is a documented tag. It allows the ColdFusion server to temporarily execute as a user different from the one you specified in the Services Control Panel (Windows) or the start script (UNIX). This is extremely useful to provide short-term dynamic access to resources, but it also creates large security holes. If you are relying on your operating system’s security policy for protection, you’re not completely safe. This tag can bypass OS-level security by simply logging on as someone else—preferably someone who has more privileges!

CF_SetDataSourceUsername(), CF_GetDataSourceUsername(),

CF_SetDataSourcePassword(), CF_SetODBCINI(),CF_GetODBCINI()

CF_SetDataSourceUsername(), CF_GetDataSourceUsername(),

CF_SetDataSourcePassword(), CF_SetODBCINI(), and CF_GetODBCINI() are undocumented functions. These functions read and write the properties of a datasource, including the ability to change username and password. They are useful in specific situations, but mostly create a security hole. If a hacker can start changing login credentials for your database, your whole application may crash. A hacker could also use these tags to glean information about valid database logins, and use that information to hack your database.

CF_GetODBCDSN()

CF_GetODBCDSN() is an undocumented tag. It lists all the ODBC datasources on the system, and is very, very useful to hackers who would like to break into your datasources.

CFusion_Encrypt(), CFusion_Decrypt()

CFusion_Encrypt() and CFusion_Decrypt() are undocumented functions. They perform the same function as the documented Encrypt() and Decrypt() functions, but use a different algorithm and produces different results. The result of CFusion_Encrypt() will only contain the numbers 0-9 and the letters A-F, but the result of Encrypt() can contain special characters. This is very useful for a hacker to attempt to unencrypt sensitive, encrypted data.