The Real eLearning

In my case, eLearning isn’t about getting credit for watching a video and answering some questions. It’s about learning on the job every day, reading and making sure that I keep up as much as is possible with the ongoing trends in interactive websites and custom website development. The most important resource for those of us in web programming is the web itself. Anyone who tells you that you’re wasting your time reading someone else’s blog for relevant programming material is just plain wrong. There is nothing that anyone can do to better themselves and thus the company as whole than learning from the mistakes of others.

I’ve written before about the ugliness of ‘hackers’ and how one mistake can send server support staff spiraling into misery. Recently there have been a rash of two types of ‘hacks’ hitting the general Coldfusion programming community. One is the unfortunate case of a programmer exposing the database to SQL injection attacks by not wrapping all query parameters in <cfqueryparam>. This is the single simplest thing to do to secure any website that provides any sort of database interaction, which I’ve written about before. The other attack has been based on the usage of cffile and cfexecute.

There are a lot of sites out there that provide some sort of file upload utility. This may be for something as simple as a profile image or as complex as zipped software and videos that need conversion. In any case, we as programmers are allowing the upload of a file to our server. Most of us probably have never thought twice about what that means, after all, why would our clients want to do something malicious to us. But, have we really thought about it? I know that I have to some extent, but my mind isn’t so great that I can think of every possible scenario. In general, I like to have all upload functions upload to a folder location that is outside of the website root. I also like to have all file downloads ‘hidden’ by the use of cfcontent and cfheaders. Sometimes I will also go as far as to rename the file itself to a uuid. All three of these cases when followed will generally prevent remote execution on the server, but we don’t always follow our own best practices.

Lets say that we have an upload utility that is allowing users to upload images for a user profile page. The cffile is used to upload a file, then coldfusion checks to make sure it’s an image file by testing the file extension. Because CF doesn’t allow us to do anything with the file before it’s uploaded, we have a bit of time between when the file is uploaded and when it’s checked. Lets say that at just that millisecond, our attacker knows precicely where the file location is (due perhaps to some error that showed the file upload location), and that file that was uploaded wasn’t an image but a cfm file with some malicious code (think cfexecute or an additional cffile create), and our attacker navigates to that file on the web. That file, before deleted, has a window of opportunity for execution. And here we have the issue. Now if the attacker can’t get to the folder location, that fixes it, or if the file name has been uuid changed, that works, or even if we’re supplying the cfheader/cfcontent to show the image, we’re pretty safe (though still opportunity for showing file location). It’s really devious and kind of scary. So for the next few hours I’ll be going over code written at DDA to make sure we’re doing things correctly, because that’s seriously some easily fixed things that should not be so easily allowed.