Security Best Practice: Handling encrypted strings to avoid instability
In ColdFusion 4.0.x, the Encrypt() andDecrypt() functions can be used to encrypt and decrypt string values.However, if a string is encrypted usingEncrypt(), then modified and passed to theDecrypt() function, ColdFusion Server may generate a protection fault.
This is important for customers who may be encrypting and issuing strings to the browser client via Cookie, URL or Form variables.If these variables are manually modified by the browser user, and the user then submits these modified encrypted strings to a ColdFusion template for processing in aDecrypt() function, they can potentially cause a ColdFusion protection fault.
This issue is resolved in ColdFusion Server 4.5 and higher.
For 4.0.x customers, you may wish to investigate the feasibility of using alternative, server-side means to maintaining the values of these variables.One alternative, for example, may be to issue just simple "tokens" to the client which are key values for server-side storage of the variables.Many customers use secure server-side storage for various state variables, such as session variables, client variables or database table storage.
Ensuring the security of your web site is important to Macromedia. Macromedia offers free technical support to ColdFusion customers whose sites have been attacked. If you would like to report what you believe may be an unreported security vulnerability in ColdFusion, please email our Security Response Team at secure@macromedia.com. For more information about security issues, notifications and other resources, please visit the Macromedia Security Zone at www.macromedia.com/devnet/security/security_zone/.
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
