Thursday, March 29, 2012

March 2012 Security Hot-Fix updated for ColdFusion 801

A bug was reported for ColdFusion 801 hot-fix, where java.lang.NoSuchMethodError exception was being thrown while using cffile upload.
We have updated the hotfix files of ColdFusion 801 to include the fix for the above issue. Users who have already applied the hotfix for ColdFusion 801 can just update the hotfix jar.

Some tips for successfully installing hot-fix -

1. Don't delete chf jar files file applying Hot-fix.
2. Post Parameter limit is a new setting added to limit number of Post parameters allowed.        It is different from PostSizeLimit set from Administrator.
3. The default value for this setting is 100, if your application has more number of input fields then please configure this appropriately.

Refer to tech note  notes section 5 and 6 to know how this can be configured.

Tuesday, March 13, 2012

HashDoS: DoS using Hash Collision

HashDoS is a term coined for Denial of Service (DoS) attack using Hash Collision. Last year, many of the programming languages and application servers were proved to be vulnerable to this attack. It can be exploited by leveraging collisions in hashing algorithm of the storage data structures used for request parameters.  Most servers store request parameters in hash table.

In case when hashing algorithm is not sufficiently randomized, the colliding keys increases complexity of inserting n elements into the table to O(n**2).

If someone creates a HTTP request which has request parameters with colliding keys, this can cause a single request to exhaust hours of CPU time. The required bandwidth, time and size of data is very less in this condition.

Hashing for HashMap/Table:

We know that in hashing data is put into buckets accroding to the keys. If two items have same key, then they are added in same bucket. Now if we have a lot of keys eligible to be put in same bucket, then inserting a new entry means iterating over all the elements sequentially just to find out if it already exists.

Java HashMap and Hashtable classes use the String.hashCode() hash function. It uses the multiplication constant 31 and instead of the start value 0 to compute a hash code. Also When hashing a string, Java caches the hash value in the hash attribute, but only if the result is different from zero. So target value 0 prevents caching and forces rehashing.

Attack Vector:

In Php "Ez" and "FY" have same hash code. Similarly in Java, "Aa" and "BB" have the same hash code. Now we can make use of vulnerability of hashing algorithm known as "Equivalent Substrings" (read below for detail of this vulnerability), and generate several other strings with the same hashcode, which start with these 2 strings.

In First Iteration we will get: "AAAA", "AABb", "BbAA", "BbBb" having the same hash code. By permuting them further we can generate 16 Strings having same hash code and so on.


"AaAaAaAa", "AaAaBBBB", "AaAaAaBB", "AaAaBBAa",
"BBAaAaAa", "BBAaBBBB", "BBAaAaBB", "BBAaBBAa", all have the same hash code.

In summary: It is very easy to generate a large set of strings that will have the exact hash code.

Recommendation: Upgrade your servers with latest security Hot-fix and protect against this attack. For ColdFusion here is the link for Security bulletin for the hot-fix.

Equivalent Substrings:

No programming language has a perfectly randomized hashing algorithm being used. Most String hashing functions are either based on algorithms which are vulnerable to “Equivalent substrings” and “Meet-in-the-middle” attacks.

If two strings ABC and XYZ have same hash value hash('ABC') = hash('XYZ'), then hashes having this substring at the same position collide as well, hash('ColdABCFusion') = hash('ColdXYZFusion'). This is defined as "Equivalent substrings".

Security Hot-Fix for ColdFusion - March 2012

Today, a priority 2 update is released, addressing an important vulnerability in ColdFusion 9.0.1 and earlier. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin

This hot-fix addresses hashDoS (denial of service attack using hash collisions) issue. CV-2012-0770.

I wanted to cover HashDos in details so I have added a separate entry for this. HashDos: DoS using Hash Collisions

Also See:
March 2012 Security Hot-Fix updated for ColdFusion 801

Monday, March 12, 2012

Improved Session Management in ColdFusion 10

In the stateless HTTP web world, Session play an important role for maintaining state. Critical user data is often saved in session. There is an id associated with this session, which distinguishes requests from one user to other. This session token, often called as JSESSIONID in J2EE world is stored at client side in cookie.

Session ids are mostly stored in cookie and we have already learnt cookies are prone to attacks. Session Hijacking, Session Fixation are some of these.

These attacks can be avoided by using proper server side measures and client side cookie handling. For  e.g. When a user logs out, the session data should be cleared.
or when user logs in, his current session data should be copied to a session with new ID.
This can avoid attacks like Session stealing, Session Fixation.

In ColdFusion 10, you have ready to use methods to do this. There are two new methods added,

1. SessionInvalidate()

SessionInvalidate, will clear the data stored in session.
However as for J2EE applications one JSESSIONID might be getting used for many applications, we don't explicitly invalidate the underlying httpSession.

2. SessionRotate()

In SessionRotate, Will generate a new session id while maintaining the current session. It will
  1. The current session's data is copied,
  2. Current session is invalidated, 
  3. A new session is generated,
  4. the data from this invalidated session id copied to a newly generated session with a new session id.

I am sure this will be very useful for all kinds of applications, small or big.

Related Entries:
How to Secure ColdFusion Session Cookies with CF 10
New Improved CFLogin
New way to add Sandbox permissions for Users with RDS access
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile

Tuesday, March 6, 2012

New way to add Sandbox permissions for Users with RDS access

Adding users for Administrator & RDS access was a very nice enhancement in ColdFusion 8. With this, Root Administrator can create multiple users with different Roles.

Need of having multiple users is self explanatory. A user can be added to Administrator and given access based on role. Remote Development Services (RDS) access should be granted if a user needs to connect to ColdFusion Builder, Dreamweaver etc.

Till ColdFusion 9.0.1 it was possible to allow access to certain Sandboxes to these users.

However it is changed in ColdFusion 10. There is no need for allowing access to Sandboxes. Instead when RDS access is enabled for a user,access to data sources and files/directories should be given. Else the user will be able to access full drive using RDS. Because these are required for RDS, one can't add/modify/delete these settings if RDS access is disabled for the user.

Adding a user in Administrator -

First To enable support for multiple users,we need to select "Separate user name and password authentication (allows multiple users)" option from Security -> Administrator
(see Figure 1).

Figure 1

It is a security recommendation as well, to keep this option selected even when there are no users defined.

To create a new user, go to Security -> User Manager and click Add User. Fill the form (see Figure 2, Figure 3).Giving a strong password is a good practice.

Figure 2

Figure 3

Notice there is no section for adding access to User Sandboxes. Instead there are two new sections :-

"Sandboxes: Data Source Permissions", and
"Sandboxes: Add / Edit Secured Files and Directories" (See Figure 3).
Appropriate access should be granted for data sources and files/Directories.

Related Entries:
How to Secure ColdFusion Session Cookies with CF 10
New Improved CFLogin
Improved Session Management in ColdFusion 10
ColdFusion 10 Hot-Fix Installer
ColdFusion 10 Secure Profile