ColdFire Security Consideration

Given all the security issues around ColdFusion in the past few months I thought it would be good idea to remind ColdFire users about a potential security issue. One of the enhanced features of ColdFire is the ability to dump variables without changing your code. For example, to see the application scope you can just type "application" in the variables tab, reload the page, and there you have your application scope dumped to the ColdFusion Firebug tab. This is a great feature during development but could also be an attack vector if used on a public server. Imagine you were running ColdFire on a public server and storing something like database credentials in the application scope. Depending on the debugging IP addresses configured in the ColdFusion administrator, someone running the ColdFire Firebug extension could come along and dump the application scope and see those credentials. Anyway, this isn't really an issue with ColdFire, it works as intended, just something to be aware of if you use the tool.

Comments
Robert Burns's Gravatar Does it not honor debug IP addresses?
# Posted By Robert Burns | 9/29/09 6:07 PM
Nathan Mische's Gravatar @Robert - ColdFire does honor the debugging IP addresses specified in the ColdFusion administrator. (That is part of the reason I wrote the IP Ranger administrator extension.)
# Posted By Nathan Mische | 9/29/09 8:27 PM
Nathan Mische's Gravatar I've updated the article to mention debugging IP addresses.
# Posted By Nathan Mische | 9/29/09 8:34 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.