Conceptualización de la Educación Ambiental

maintain session variables, can be spoofed easily by rogue hackers. Avoid the use of these variables alone to establish session states, using instead an encrypted cookie or an authentication challenge when a user enters your site from an outside URL. You can use a UUID token to identify the user, either stored in a cookie or passed on the query string. Additionally, you can increase the strength of CFTOKEN by making it a UUID value. See Macromedia TechNote 22427, ColdFusion Server: How to Guarantee Unique CFToken Values (www.macromedia.com/v1/Handlers/index .cfm?ID=22427&Method=Full). Also, in a clustered situation, it is possible to generate duplicate CFID (and less likely, CFTOKEN) variables because ColdFusion uses an incremental count to establish the CFID value.

Once you decide to pass variables on the query string, you must decide how to validate the input you are receiving from the user.The approaches are similar to those you would use in validating form input:

■ _{Use combinations of variables to validate your input. If you are gathering}

items to place in a shopping cart, for example, validate both the category of the item and the unique item ID.This will force your attacker to learn more than one parameter in your application, although it will only slow the hacker down.

■ Require an authentication token or a specific URL to use the page. Once

again, check the http_referer value to understand where the http request is originating so that you can determine if it is a valid request; if not, send the request to an error-handling page or the front page of your applica- tion, where you can set default application values. In addition, you may want to require the use of a valid user ID, which you can set by using the CreateUUID() function in ColdFusion.This is not a foolproof method, but will give you a relatively random identifier with which to identify your client.

■ _{Use <CFSWITCH> to limit the number of string values you can}

receive when passing actions with known keywords to your application. Figure 1.3 shows an example of the processing you might do on

receiving a request for your CFML template containing the URL parameter “item” defining a module in your code and “method” defining the method that item should take.

Figure 1.3Code Snippet Using CFSWITCH to Limit URL Input

<cfparam name="url.item" default="myItem"> <cfparam name="url.method" default="get"> <!---1st check--->

<!---on this template, we expect users to come from samplePage.cfm---> <cfif cgi.http_referer does not contain "samplePage.cfm">

<!---if not, redirect elsewhere---> <cflocation url="index.cfm">

</cfif>

<!---get the list of possible items--->

<cfquery name="getItems" datasource="#request.dsn#"> select itemName

from items </cfquery>

<!---2nd check--->

<!---see if passed item is in list of items--->

<cfif NOT ListContainsNoCase(valueList(getItems.itemName), trim(url.items))>

<!---if not, redirect elsewhere---> <cflocation url="index.cfm">

</cfif>

<!---3rd check--->

<!---we know which methods we expect---> <!---use CFSWITCH to run appropriate code---> <CFSWITCH expression="#url.method#">

<CFCASE value="get">

<!---put code here to get the item---> </CFCASE>

<CFCASE value="add">

<!---put code here to add a new item---> </CFCASE>

<CFCASE value="edit">

<!---put code here to edit an existing item---> </CFCASE>

<CFCASE value="delete">

<!---put code here to delete the item---> </CFCASE>

<CFDEFAULTCASE>

<!---this code runs if no conditions have been met---> </CFDEFAULTCASE>

</CFSWITCH>

Finally, you should ensure that you are not passing more information in the query string than is necessary. Passing the user’s password is not advisable; passing the userid or UUID and checking for the existence of an authentication token (encrypted cookie, etc.) is recommended instead.

<CFFILE>, <CFPOP>, and <CFFTP> Tag Misuse

<CFFILE>, <CFFTP>, and <CFPOP> are powerful tags in ColdFusion that

allow applications to interact with file, FTP, and mail systems. Because the ColdFusion server runs under the context of the user logged in to the system (the default installation is as a local, system account on the Windows platform), you must guard application access to these tags carefully.

Note that the <CFTRY>/<CFCATCH> block may prove particularly helpful to you in diagnosing potential errors created by hackers. If you’re not familiar with this handy tag, the basic syntax is as shown in Figure 1.4.

Figure 1.4Sample <CFTRY>/<CFCATCH> Snippet

<!---place the code to be tested within a try block ---> <CFTRY>

<!--- code to be tested goes here --->

<CFQUERY name="qFoo" datasource="#request.dsn#"> select *

from users

where username = '#url.myVariable#' </CFQUERY>

<CFCATCH type="database">

<!---for a database error, handle---> </CFCATCH>

<CFCATCH type="any">

<!--- for a general error, handle ---> <h3>Oops. There was an error.</h3>

<a href="mailto:[email protected]">email</a> the webmaster

</CFCATCH> </CFTRY>

<CFTRY>/<CFCATCH> won’t help you diagnose all the errors in your

code, but if you know what to look for, it is a helpful code construction.

<CFFILE>, <CFPOP>, and <CFFTP> are all dangerous because they allow

access to the server’s file system. Some ways to mitigate this risk are as follows:

■ _{Scan and segregate uploaded files. Use a directory outside of the}

Web root to store uploaded files, where these files can be scanned for potential viruses before being run arbitrarily by your application.

■ _{Use an absolute path for the upload directory. Don’t use a}

dynamic path for uploads, but instead a path set in your Application.cfm.

■ _{Sniff the uploaded filename. Find occurrences of “../” and so forth}

in your uploaded file paths, and strip these characters out of the filename before you write it to your file system

■ _{Require authentication to manipulate files.Make sure you know}

who is using the <CFFILE>, <CFPOP>, and <CFFTP> tags. If the area of functionality is particularly sensitive, consider implementing auditing for these actions either on a server or application level (page logging, or more sophisticated logging embedded in your code).

It’s impossible to remove all risk when you are soliciting file input from users, but if you are careful, you can avoid major mistakes that would allow intruders to upload “back-door” templates to your server, essentially rendering it permanently “hackable.” If such a breach occurs, have backups; at least you will know that you can restore your server to a known state.