Re: [OpenBD] Securing OpenBD in a production envionrment

['Alan Holden' via Open BlueDragon]

Hi Lee, how are things (over there)? Are you aware of a specific XSS vulnerability? For example, an outside party has run a PCI scan on your application, and provided you with a list of potential problems? I think your error is due to the example being based on the Adobe ColdFusion library of CFML objects, which is not the same as OpenBD's version of CFML. However, it appears that script protection is available via some settings in the all-powerful bluedragon.xml config file. http://openbd.org/manual/?/engine_bluedragonxml <scriptprotect>true</scriptprotect> <scriptprotectregex><(\s*)(object|embed|script|applet|meta)</scriptprotectregex> scriptprotect - Set to "true" to enable protection of variables from cross-site scripting attacks. Accepts values "true/false"; the default is "false". scriptprotectregex - This is the regex pattern that will be used to detect the milicious scripts coming in through the URL, FORM, COOKIE and CGI scopes. (sic) (you would probably need to restart the OpenBD engine / J2EE container if you change this xml file, to load new settings) It appears that the file ships with scriptprotect set to true, and it might have a default scriptprotectregex that it applies (basically the documented example) - if another one is not provided by you. It also might output this regex on startup in the logs, look for a line like cfEngine: [server.system.scriptprotectregex]=[the setting] http://www.programcreek.com/java-api-examples/index.php?source_dir=openbd-core-master/src/com/naryx/tagfusion/cfm/application/ScriptProtect.java I'm not sure which of these things might still be true depending on the version you have, I'm just looking through some docs and code on my own. This is why I wonder if you might already have XSS guards in place, or if you have a real fault report in hand. Al Holden (over here) On 11/15/2016 8:36 AM, Lee wrote: Have mitigated a few of the issues but really struggling with some basic XSS prevention in the system. Why don't have encodeForHTML()  as we have encodeForHTMLAttribute() in openDB? what other ways we can use in place of encodeForHTML() ? Tried with java OWASP ESAPI Library (example here http://boncode.blogspot.in/2011/12/cf-setting-up-owasp-esapi-library-for.html) but it gives  error - .encoder.encodeForHTML(com.naryx.tagfusion.cfm.parser.CFFunctionExpression@734c8325) doesn't exist. Of if you know how to get the scriptprotect option to work that would be a real help. Kind regards, Lee On Saturday, November 12, 2016 at 3:54:22 AM UTC, Al Holden wrote: Hi Lee, As I recall, the OpenBD Admin project was a separate labor of love headed up by Matt Woodward, who I met at a CFOPEN conference in Texas many years ago. Much like the ACF Admin tools, the project's purpose was simply to help craft the /WEB-INF/bluedragon/bluedragon.xml file and some of the JDBC connection strings by way of a GUI. But once that work has been done, the folders /adminapi and /administrator could probably be entirely removed from the project in production without consequence. The one security issue I'm aware of is that the /adminapi folder could be browsed or accessed from the public without being logged in (foundeo.com/hack-my-cf/). While I have been able to reproduce the former in a test environment, I haven't been able to do either on our production system. I get 403 Forbidden, although I'm not a professional hack. Al Holden On 11/11/2016 12:15 PM, Lee Fortnam wrote: Hi All, Just wondering if anyone has any pearls of wisdom to secure OpenBD 3.1 in a production environment? Apparently there is a well known CFM Admin hack that is a vulnerability and I am keen to lock it down as much as possible. If anyone has a standard setup that could be shared that would be amazing. Kind Regards, Lee -- -- online documentation: http://openbd.org/manual/ http://groups.google.com/group/openbd?hl=en --- You received this message because you are subscribed to the Google Groups "Open BlueDragon" group. To unsubscribe from this group and stop receiving emails from it, send an email to openbd+un...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- online documentation: http://openbd.org/manual/ http://groups.google.com/group/openbd?hl=en --- You received this message because you are subscribed to the Google Groups "Open BlueDragon" group. To unsubscribe from this group and stop receiving emails from it, send an email to openbd+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- online documentation: http://openbd.org/manual/ http://groups.google.com/group/openbd?hl=en --- You received this message because you are subscribed to the Google Groups "Open BlueDragon" group. To unsubscribe from this group and stop receiving emails from it, send an email to openbd+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.