TechNote (Archived)

Security Best Practice: Evaluating the risks of allowing uploading of attached files on your server

ColdFusion offers three file-related tags that can compromise a web server's security if not used in carefully considered ways.

The tags are cffile, cfftp, andcfpop. cffile directly allows users to upload and save files on your server. cfftp allows programmers and users to send and receive files via the FTP protocol to and from your ColdFusion Server. cfpop allows users to receive files attached to mail messages and save them on your server.

Each of these tags allows users to upload (send) their files to your web application hosting server. This kind of operation must be carefully considered and managed. Allowing unknown users to uploadany file can allow an unknown attacker to carry out many unwanted changes to your hosting server.

The following are examples of harmful actions allowed by unmanaged and untrusted uploading:

Attacker could overwrite your server's configuration files.
Attacker could put a Trojan horse (a program that compromises security settings) on your server.
Attacker could overwrite or place new CFML pages on your server. This could put your database(s) at risk as well. (See Security Best Practice: Identifying and removing rogue templates after a security attack for more information about the possible consequences of this action.)
Attacker could overwrite your server's registry or security (password and policy) files.

Solutions

Application-based security

Application-based security refers to the programming and design practice of designing a web application so that it authenticates each user before the user can access an application. Examples of this kind of security methodology can be found in any e-commerce solution that keeps certain transactions (for example, buying and selling) protected from use by anyone except logged in, registered users. Like these e-commerce examples, it is important that you trust your users before you give authenticated users access to thecffile, cfftp, and cfpop tags.

An important consideration is how you go about protecting the use of CFML templates that incorporate the cffile,cfftp, and cfpop tags. If you do not carefully manage the files that your users work with when using your application, Adobe strongly recommends that you protect such templates with application-based security so that you can control who is permitted to execute these operations. It's important to ask yourself whether you trust your users not only to understand but also respect your security policies. Not only can a malicious user abuse your trust, but so can one who is uninformed.

If you solely implement this type of a solution, please be aware that you explicitly trust your users to always keep your server and application integrity in mind. If your application allows any user to save any file to your server, and/or if your application allows file saving anywhere on your server, you might experience the kinds of problems illustrated in the previous examples. Remember that a protected application is only as strong as its weakest link. You should consider that your users could take the following risks:

Sharing passwords, possibly outside your organization (allowing users you do not trust into your application).
Knowingly or unknowingly carrying out any of the attacks listed in the first section of this article.
Sharing other information designed to be private within your application or organization.

Protected Directories

Be aware that all three tags allow programmers to control the directories in which files will be placed. If the programmer defines the cffile FILE attribute, thecfftp LOCALFILE attribute, or the cfpop ATTACHMENTPATH attribute as a constant, the approach is obvious. Make sure that the path your programmer specifies points to a safe directory that is not shared with vital files like active CFML templates or system configuration files.

Input Validation

If the situation is more complicated and your definition of those attributes requires user inputs, make sure you carefully read the Security Best Practices article, Validating browser input and related information. It is vital that you validate all incoming information that you cannot explicitly trust. Make sure that the information you take from the user is validated and filtered so that the user cannot take advantage of your implied trust and define a file-saving path that will overwrite vital files on your server.

The following examples depend on the operating system that the server uses. You can use these examples of potentially hazardous data that your programmer(s) should filter out to build your own solution:

File extensions (*.cfml, *.cfm, *.bat, *.pl, and so on.)
Special characters ('.', '..', '/' at the beginning of the string, and so on.)
Specific filenames (/etc/passwd, c:\config.sys, and so on.)

Adobe strongly recommends that you ensure that all incoming files are scanned for viruses.

Advanced Security and ColdFusion 4.5.1 Enterprise

Adobe recommends strongly that you consider purchasing or upgrading to ColdFusion Server 4.5.1 Enterprise or higher if one of these situations exists:

You are a web host and have a web server on which you cannot trust your CFML programmers to be careful about the use of these tags.
You are concerned about functionally restricting your programmers from using these tags at all.
You are concerned about restricting how your programmers use these tags.

Using ColdFusion Server 4.5.1 Enterprise, you can configure Advanced Security and Security Sandboxing to make sure that each programmer cannot abuse the right to use a set of tags that you specifically allow the programmer to use. For further information about Advanced Security and Security Sandboxing, see the Security Best Practices articles: Setting up ColdFusion Administrator Security and Creating a Security Sandbox to limit file access, and theAdministering ColdFusion Server documentation.

Sandboxing creates a limited space and context for each programmer to use, and enforces functional security limits with programmer permissions and limited file-system paths for each programmer. These kinds of limitations can eliminate many of the previously mentioned risks.

Summary

There is no foolproof method to ensure a secure implementation for file handling in web applications, but with careful design and implementation, you can reduce your risk significantly.

Ensuring the security of your web site is important to Adobe. If you have any questions related to possible security breaches, please bring them to our attention by notifying us via the Adobe Security Report Form. Please also visit the Adobe Security Zone at www.adobe.com/devnet/security/security_zone/ for the latest information about known security risks.