Outsource ColdFusion Application development | ColdFusion developers programmers

Coldfusion Application Security

What basic security steps should I take to make sure a ColdFusion server is secure?

The only way to prevent being hacked it to secure your site. There are a few rules here:

Remove all example applications from live machines.
Review all security docs from phrack, l0pht, HoF and Allaire (the last two assuming your using CF).
Use a hacking script to see if there are any obvious holes.

If your really worried, have a security expert come in to review your setup.

As long as you have removed all of the CFDOCS (or password protected them), checked your DB permissions (SQL not running as SA), upgraded to MDAC 2.1 (if using access), and have not left any of your programs open (like uploaders and such) then CF is rather secure. The only times people have walked into a server through CF is when they were using one of these exploits.

How does the ColdFusion service interact with IIS in terms of security?

CF runs as a separate service, but it also integrates with IIS using an ISAPI extension. The ISAPI extension runs in-process with IIS, just like the ASP engine, and when a request is received that is mapped to the file extension associated with the ISAPI extension (typically .cfm and .dbm, although those can be changed in the IIS management console), the request is forwarded to the CF service for processing.

IIS and NT security are used to determine whether the user can request the file in the first place. This happens before the request is forwarded to the CF service. So, you'll generally follow the same procedure for securing CF applications with ACLs that you would with an ASP application.

CF, by default, runs as a service using SYSTEM privileges

How can I check for the existence of files on a server that could be used maliciously by a hacker?

When you install ColdFusion Server, you are given the option of installing the online documentation and sample applications. If you choose to install them, they will be installed on the server in the CFDOCS directory just below the web root.

Installing the sample application is never a good idea as they could be exploited maliciously.

MunchkinLAN is a ColdFusion based security viewer. It allows you to enter a domain name and test if certain vulnerable files exist on that domain.

Contact iSummation

Request A Quotation

FIND US ON THE INTERNET

Mobile Android Application now available for REO Allegiance contractors

REO contractors and affiliates now have the additional facility accessing the REO application through an Android enabled device.

iPhone Application Developed for REO Allegiance

An iPhone Application is developed for REO Allegiance contractors to assist them in sending real time updates to the head office on the most current developments.

iSummation starts Blog for Coldfusion Developers

iSummation has initiated a blog for Coldfusion development team. We hold a well knit team of coldfusion developers who have built strong expertise in this niche development platform. Often they face challenged in ColdFusion development and have very few reference sites to look for a solution.

Web services integration of bidding management system with external software

Web services integration of bidding management system with external software

Web Portal application development for city resources & online services

The web portal is an integrated Internet portal which delivers content, community and commerce to consumers and businesses. It is a single source of all information on the city.

Web based HIPAA medical claims billing & processing software - Clearing house application

HIPAA compliant Software for medical claims submission to multiple carriers

ColdFusion

Four years ago I had several technology partners. Since the past 4 years I am working with iSummation exclusively. I have only positive things to say as their work is outstanding