Tag Archives: ColdFusion Website Security

Is it Important to turn your ColdFusion eCommerce website PCI Compliant

pci complientReliable service providers are very prominent to ensure compliance with the PCI DSS (Payment Card Industry Data Security Standard). The best way a business owner can help their website reduce the risk of PCI obligations and data breach is to outsource to a PCI compliant service provider.

It is your inbuilt responsibility to acquire services with the right solutions. We at ITLANDMARK help you with the best PCI compliant services in order to ensure you safeguard card holders’ data.

Few IT Specialists have the belief that turning the website PCI compliant is just a small drop in the ocean when looked upon broader side of website and data security. But is this to be worried? We believe that there is no point of worrying because there is nothing in the world that is completely secure or nothing can be guaranteed that it will never ever fail.

Let us take a simple comparison so that this concept is understood better –

Imagine installing gutters in newly constructed house and this is like turning your website PCI compliant. Can they be guaranteed that water will not drip into the walls? No, however, they surely protect the home from water and rain. In the same way, a PCI compliant website will provide a good baseline for your web system security.

PCI Compliance on your Website

The PCI DSS requires any website or company that processes and holds the card data so to maintain the privacy and confidentiality of the data. PCI compliance was created to hold back the customers’ credit card data to abate thefts, frauds, hacking and other vulnerabilities.

Most of the websites still lack PCI compliance even though the rates are improving. But, it is necessary to integrate in your websites when you accept online card payments.

The fundamental steps to be implemented for the websites to get PCI complaint or exceed PCI data security standards include -

  • Protect customers’ card data
  • Create and maintain a secure network
  • Schedule vulnerability scans to confirm data security
  • Maintain a vulnerability management program
  • Monitor and test networks on regular basis
  • Implement strong access control measures

Not only the above essentials, but also the business owner should fill a self assessment questionnaire, an up to date written security policy and have his/her website scanned and progressed an authorized PCI compliance certified vendor.

Worried about online security? Yes. Fraud is going high causing a great impact on business owners and customers. Thankfully, we catered our services to many businesses to become PCI compliant to protect them from vulnerabilities.

If you have any more queries regarding PCI compliance, let us know by filling the contact form below or call us directly at 1.800.383.5095.

ColdFusion 10 Update 11 with more than 50 fixes, is now available!

ColdFusion Security Updates

We have already discussed on security update APSB13-19 in our previous post. Below are the details of ColdFusion 10 Update 11 (which includes APSB13-19) and what it fixes. Secure your ColdFusion Application / Severs before they are exploited because of these vulnerabilities.

What’s covered in ColdFusion 10 Update 11

ColdFusion 10 Update 11 (release date: July 9th, 2013) includes support for 64-bit COM interoperability, Microsoft SQL Server 2012 and MySQL 5.6 in addition to several important bug fixes as well. It includes all the bug fixes from previous updates of ColdFusion 10. This update also addresses a vulnerability mentioned in the security bulletin APSB13-19.

Note:

This update is specific to ColdFusion 10 only.

Issues fixed

Bug # Title Product Area
3331802 Error accessing Server Updates page in the ColdFusion Administrator after disabling “enable session variables” Administrator
3338825 SerializeJSON casts multiple zero values as number instead of string AJAX
3322342 SerializeJSON does not preserve case when using a mix of array notation and dot notation AJAX
3148178 ColdFusion 10 does not maintain sessions when using the CFFILEUPLOAD action page AJAX
3369530 Frequent key collisions result in ColdFusion returning an incorrect result-set when using a cached query with queryparams Caching
3327626 Error on application startup when using ORM secondary cache Caching
3503195 ColdFusion 9 watermark is shown for charts in ColdFusion 10 Developer edition Charting/Graphing
3040504 COM Interoperability with ColdFusion on 64 bit Windows throws 32-bit DLL error COM/DCOM
3506758 Unable to execute queries on MySQL 5.6 Database
3086162 Unable to read a file from RAM using CFSPREADSHEET tag Document Management
3195198 CFDIRECTORY throws an exception when it encounters an inaccessible directory during a recursive list action. File Management
3042909 CFSPREADSHEET action=”write” cannot be used to write files to the VFS File Management
3568982 instances.xml picked from the wrong location for a non-cfusion instance HotFix Installer
3519719 Users should be notified in case a problem is encountered when applying an update using the ColdFusion Administrator HotFix Installer
3373350 Server Update Notification uses invalid “FROM” email address HotFix Installer
3367866 “Select all” option in ColdFusion updater doesn’t work HotFix Installer
3564451 Error applying update on a non-cfusion instance if cfusion instance is not selected. Installation/Config
3340564 CGI.ALL_HTTP variable does not exist (IIS, all versions) Installation/Config
3339175 “coldfusion status” command fails silently on Linux Installation/Config
3482734 Bug in shorthand struct notation causes preceding statement to be skipped Language
3347145 Extension to 3309220 . Change of behaviour from CF 9 when persisting UTC date/time Language
3341284 When a struct is created by copying arguments using structCopy, any new key added to it will not show up in the keylist or cfdump. Language
3298179 ColdFusion 10 form variable functionality change relating to case of variables Language
3175667 SerializeJSON() does not fully serialize array of entities from EntityLoad Language
3583147 Issue with ORMREload() and Secondary Cache ORM Support
3348839 Using RestInitApplication(“/mymapping”, “servicename”) results in an exception in the ColdFusion Administrator after server restart REST Services
3348054 RestInitApplication does not work in the case of multiple applications if application-specific mappings are used REST Services
3342142 RESTful web services do not correctly handle character encoding REST Services
3575825 Archive wizard displays an exception if an attempt is made to archive a task with an event handler but no defined URL. Scheduler
3575011 Exception when application tasks are defined without an application name. Scheduler
3366182 PauseAll/ResumeAll does not work when there are expired scheduked tasks are present Scheduler
3364661 Invoking the event handler for onMisfire does not work Scheduler
3362794 cfschedule throws an error if list of dates in Exclude attribute contains spaces after the comma delimiter Scheduler
3358899 Using CFSCHEDULE tag with action=”PauseAll” causes an error if you have chained tasks at the server or application level Scheduler
3335521 When an application-mode task is paused via the ColdFusion Administrator, its mode is changed to the application’s name. Scheduler
3218423 Migrated scheduled tasks show incorrect information Scheduler
3194042 Inconsistent use of underscores in CFSCHEDULES’s result fields and attribute values Scheduler
3194041 Task names become UPPERCASE upon .CAR deploy or server restart Scheduler
3179290 CAR wizard only archives tasks if mode=”server” and group=”default” Scheduler
3178809 Paused tasks misfire upon .CAR deploy Scheduler
3167859 If a task name begins with a special characters (ex: space ) editing the task gives an error error ” on editing the task. Scheduler
3141655 Paused tasks are misfired on restart of ColdFusion. Scheduler
APSB13-19 Security hotfix addresses a vulnerability that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets Security
3488063 IIS 404 custom error handler URLs that are .CFM files do not consistently return entire document Web Container (Tomcat)
3493943 Adding a new instance corrupts commons-daemon-native.tar.gz Web Container (Tomcat)
3426811 CGI.server_port information incorrect when using any type of port forwarding Web Container (Tomcat)
3531653 ColdFusion 10 web services fail in IIS virtual folders Web Services
3344353 Web services will not be served from https with stock ColdFusion 10 install Web Services
3342995 [ANeff] Bug for: typo in WSPublish() exception Web Socket
3342991 [ANeff] Bug for: typo subscribercount_callbackHanlders (dl, not ld) in cfwebsocketChannel.js Web Socket
3330785 CGI Scope getting reset by websocket handler Web Socket
3587627 Error when using Web Socket to invoke a CFC function that returns the CGI scope Web Socket

See more details here.

If you have any questions or need any help with ColdFusion 10 installation, ColdFusion 10 updates installation or migrating to ColdFusion 10, contact us.

Reference(s): ColdFusion Help / ColdFusion 10 Update 11

Securing ColdFusion Applications against CSRF Attack

What is CSRF (Cross Site Request Forgery) Attack?

In Cross-Site Request Forgery (CSRF), which is also called one-click attack or session riding, the attacker forces the victim’s browser to execute unwanted actions on a web application in which he/she is currently authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands. Though CSRF has some pre-conditions that an attacker must set in place before he succeeds, it is an important attack to understand and protect against. In simple words, CSRF vulnerabilities occur when the web application cannot distinguish legitimate requests from forged requests. CSRF is rated among the 10 most critical web application security flaws in OWASP’s Top 10 project. CSRF attack is possible with both POST and GET requests.

http://fragilesecurity.blogspot.in/

http://fragilesecurity.blogspot.in/

Traditionally, applications are being protected against CSRF attack using Captcha. But, what if you have an alternative where you need not enter a verification code, no hassle of user errors while entering the security codes and keep your form clean? Awesome! This is now possible with ColdFusion 10.

In ColdFusion 10, two new functions – CSRFGenerateToken() and CSRFVerifyToken() are added to protect your ColdFusion web application against a CSRF attack. Here is an example on how to add the CSRF protection.

login.cfm

<cfset csrftoken= CSRFGenerateToken()/>

<cfform method="post" action="loginAction.cfm">
<cfinput name="csrftoken" type="hidden" value="#csrfToken#">
Login ID: <cfinput name="loginID" type="text"><br/>
Password: <cfinput name="password" type="password"><br/>
<cfinput name="Submit" type="submit" value="Sign In">
</cfform>

loginAction.cfm

<cfif (not isdefined("form.csrfToken")) or (not CSRFVerifyToken(form.csrfToken))>
Sorry, invalid Login ID or Password
<cfabort>
<cfelse>
<!--- logic for authenticated user goes here --->
</cfif>

There are lot other security enhancements in ColdFusion 10 on which we’ll discuss in future articles. Meanwhile, if you have any questions or need help in securing your ColdFusion application, don’t hesitate to reach us.

References: ColdFusion Security Improvements, Fragile Security