For extra security on my pages I use HTTP_REFERER within a cfif statement as a check on all my pages to make sure there are no successful direct attacks on any given page.
I am using a cfc file in an Authorize.net post. I do not use cfc or any other plug-ins or apps on my site so this is a first.
I would like to use an cfif statement in the cfc with the pages that call it listed in the cfif statement and if not a listed page, cfabort the page.
<cfhttpparam name="referer" type="cgi" value="#CGI.HTTP_REFERER#">
Related
I want hide the values passing through the URLs. Is there any settings in ColdFusion administrator for this?. I know that converting all GET method to POST will resolve the problem. Then what about CFLOCATION tag.
<CFLOCATION url="test.cfm?id=2654&code=59874">
how to hide the values in the above url.?
Certain methods include:
Convert the cflocation to a form post. This will hide the parameters in the URL, but as previously stated, the data will still be in the headers.
Use an iframe, and send all requests to the iframe. Similar to above, the parameters will be visible to those capable of finding them in a DOM explorer.
Encrypt/Decrypt the values on the before and after pages.
I have created a page with a friendly URL of /balance-inquiries. The full URL given within the Liferay Admin's Site Pages page is http://localhost:8080/group/guest/balance-inquiries.
Creating a renderUrl (or an actionUrl) to this page, from another page is proving to be a bit frustrating. Below is one of many variations I have tried to get this working.
<portlet:renderURL var="searchTransactionsUrl">
<portlet:param name="mvcPath" value="/balance-inquiries" />
</portlet:renderURL>
Search LPC Transactions
My question is what param values should I use to make this link work? Or should I resort to a redirect, or using instead?
Thanks in advance.
I've figured out how to build dynamic URLs for portlets spanning different WAR files. The code is as follows:
<portlet:defineObjects />
<liferay-theme:defineObjects />
<%
String portletId = "giftcardtransactionfilesummary_WAR_myportalgiftcardportlet";
long otherPlid = PortalUtil.getPlidFromPortletId(themeDisplay.getScopeGroupId(), portletId);
%>
<liferay-portlet:renderURL var="giftcardTransactionFileSummaryUrl" plid="<%=otherPlid%>" portletName="<%=portletId%>">
<liferay-portlet:param name="groupId" value="10157" />
<liferay-portlet:param name="articleId" value="11385" />
</liferay-portlet:renderURL>
view giftcard batch files
The tricks are as follows:
Understanding the naming convention behind Liferay-generated
portletIds
Adding < liferay-theme:defineObjects /> to your page, as
that injects a value for themeDisplay
Other than that, adding the necessary #page and #taglib directives, and all should work.
You don't create render or action urls to pages, but to portlets.
If you want to pass parameters between portlets on the same page, use inter portlet communication.
If you want to redirect to a page with different portlet, make your portlet configurable and specify the page url in the portlet preferences. In general, you don't know the page where the target portlet will be placed to. It can be a single page or multiple pages or anything.
If you want to pass parameters to a portlet on a different page, make the page url configurable and pass the parameters through friendly url.
The application keeps the daily reports in a shared path. Our application generates the URL linking it to the excels like
http://application/ExcelTask/Index.cfm?type=Report&fileName=Report_Mar2014.xlsx
with the cfm code as
<cfif FileExists("#filePath#")>
<cfheader name="Content-Disposition" value="inline; filename=""#URL.fileName#""">
<cfcontent type="application/vnd.ms-excel" file="#filePath#">
</cfif>
What we have found out if the users are aware of our directory structure the cfm files can be downloaded using the URL injection like
http://application/ExcelTask/Index.cfm?type=../ExcelTask&fileName=Index.cfm
I can add a condition to only allow files of type xls and xlsx only but that looks like a Plan B.
Any ideas how to restrict the folder access?
Use basic data sanitization skills to both clean and validate your URL.type and URL.filename.
some replaceAll code to eliminate ../, or
try isValid("regex", some regex pattern...)
You can also validate against the session whether the current logged in user has the write to view/download the file for extra protection.
I inherited some legacy ColdFusion code and about a year ago my site was hit with XSS and SQL injection.
Which cause me to validate inputs coming in as well as including a setting of ScriptProtect="all" in my application.cfm file. I got it scan and it came up clean.
Recently I had it scanned again and it came up with many vulnerabilities in particular one where it embedded a script in the url.
For example this was attached to a url:
?’A<style > a(font0family:expression(alert(2424)))</style>
Which embedded a hidden JavaScript. How would one use a ColdFusion function such as URLencode() in the application.cfm file to detect/prevent these sort of XSS attacks?
There are a few specific things you can do, depending on the nature of the attacks and the type of application. The following are what I would consider to be "the big three". The first item is to enable the "Enable Global Script Protection" in the "Settings" area of the Coldfusion administrator.
The second, and this is extremely important for SQL injection, is to use <cfqueryparam> with strict typing on any variable used in your queries. For example:
<cfqueryparam cfsqltype="cf_sql_integer" value="#my_integer#">
On a script-based query this would be accomplished by:
<cfscript>
qget = new query(datasource=my_datasource);
qget.addParam(name='my_integer',value=url.my_id,cfsqltype='cf_sql_integer');
qresult = qget.execute(sql='
SELECT * from my_table
WHERE id = :my_integer
').getResult();
</cfscript>
The third, is dependent on whether you are using JSON from your application via an API or internal call. Enabling the "Prefix Serialized JSON" setting in the CF Administrator with a prefix of your choice can help with cross-site scripting attacks as well.
If you're not on a Adobe CF server, no worries. Both Railo and Blue Dragon have equivalent features.
If I have a site where there is a protected back end and I'm looking to use an application.cfm file, how can I tell which pages use the application filesa and which ones do not.
index.cfm
update/application.cfm
update/loginexpired.cfm
update/login.cfm
update/somesecurepage.cfm
update/someothersecurepage.cfm
I want updates/login.cfm to create the session if the login is correct.
If the secure pages update/somesecurepage.cfm and update/someothersecurepage.cfm are accessed without correct login the application should forward to update/loginexpired.cfm but I don't want any of the other pages to use application.cfm.
Is this plausible or should I use cfinclude instead?
Always make sure you name your Application.cfm and Application.cfc files with a capital "A". This way if you move from Windows to a case sensitive file system, you wont have an issue where ColdFusion cannot find your Application.cfm/cfc files.
As far as your question goes, with your current structure, all files in the "update" folder will use the Application.cfm file. It will be executed before any other code in those files. If you only want certain pages to redirect to a loginexpired page, then I would typically create a subfolder, put an Application.cfm file in that folder that includes the Application.cfm file from the parent folder: <cfinclude template="../Application.cfm" />. Then in this file, you would add your security check. in the parent Application.cfm file you would include the <cfapplication /> tag. If you are using sessions, be sure to enable session management in your cfapplication tag. (<cfapplication name="myappname" sessionmanagement="true" />)
You really should have an Application.cfm or Applciation.cfc file in the root of your site. If you do not, the application will run without an application scope. ColdFusion has a kind of "unnamed" application where this would run without a defined application name. You will most likely encounter undesired effects. All CF apps should have a named application, using the cfapplication tag or a Application.cfc file with this.name set.
If you are writing this as a new application, I would suggest you use Application.cfc instead of Application.cfm. You will have access to the application, session and request life cycles (onApplicationStart/End, onSessionStart/End, onRequestStart/End) as well as the onError and onMissingTemplate event handlers giving your more control over the flow of your application.
When a .cfm page is loaded, it will first look for an Application.cfc (The modern, recommended Application object) in the same folder and run it. If that file is not present, it will look for an Application.cfm (the old way of instantiating an Application.)
If neither exists in that folder, it will look up the tree to the next folder and check there for Application.cfc, then Application.cfm, it will repeat this until it finds one or gets to the root of the server.
Therefore, ALL of the files you listed in your 'update' folder will automatically use the application.cfm. Only the index.cfm listed in the root will not. (because neither Application.cfc nor Application.cfm are located in that folder.)
So it would be best to use an Application.cfc in the root of your site for everyone, and then put the locked down pages in a subfolder with a more restrictive Application.cfc.
I hope that answers your question directly. Otherwise, I agree with what Sean stated.
More info about Application.cfc and Application.cfm is available on Adobe's Coldfusion site.
I suggest to you to make a different Appliction.cfm (pref Application.cfc) for the public area and secure area. Also define a differnt name for those Application.
Oops, spelling error
I suggest to you to make a different Appliction.cfm (pref Application.cfc) for the public area and secure area. Also define a different name for those Application.