Friday 1 August 2014

Don't advertise yourself as a CFML website

G'day:
Do you know what the first thing I do when I see a website which uses .cfm file extensions is?

I browse to /Application.cfc, then /Application.cfm. Often this will error - if you don't do a proper job of implementing error handling - and will let me know whether you're on ColdFusion or Railo (and it will also reveal which version of CF it is, if you know what to look for).

From there, I browse to either /CFIDE/administrator or /railo-context/admin.cfm. And, very often, I am now sitting at the front door to your admin site. I have correctly guessed a site's password once, but on the whole I don't try. Much.

However from there I also now know there's a coupla exploits I can try, and I can start penetrating your site. But I don't. Because I'm not a prick (in this particular situation, anyhow).

You should never have a .cfm file extension on your site. You should never have anything front-facing which identifies what server technology you are using. You are just inviting hackers if you do.

Use URL rewriting (mod_rewrite, IIS's rewriting module, etc) to use neutral, server-agnostic URLs.

If I can't work out that you're using CFML, then I don't bother trying any further. And this will be the case with other potential hackers too.

Do not advertise that you are using CFML (or, for that matter, PHP, or any other server-side technology).

--
Adam