Are ColdFusion CFC's very secure when access is remote?

Question

I am using ColdFusion 9 and jQuery.

I am new pretty new to using ColdFusion CFCs via CFAJAXPROXY. I am curious as to whether my database is at risk and how I might easily patch security holes.

I put this at the top of the page:

<cfajaxproxy cfc="brands" jsclassname="jsApp">

Here's a CFC that is used after some logs in:

<!--- ADD BRAND  --->
<cffunction name="addBrand" access="remote">
    <cfargument name="SiteID" required="true">
    <cfargument name="Brand" required="true">
    <cfscript>
        LOCAL.SiteID = ARGUMENTS.SiteID;
        LOCAL.Brand = trim(left(ARGUMENTS.Brand, 50));
    </cfscript>
    <cfquery name="GetBrands">
        INSERT INTO Brands(SiteID, Brand)
        VALUES      (<cfqueryparam cfsqltype="cf_sql_integer" value="#LOCAL.SiteID#">,
                    <cfqueryparam cfsqltype="cf_sql_varchar" value="#LOCAL.Brand#">)
    </cfquery>
    <cfreturn true>
</cffunction>

Here's the jQuery that would post the data to the CFC

$("#AddBrand").click(function() {
    NewBrand = $("#NewBrand").attr("value");
    var jro = new jsApp();
    jro.addBrand(NewBrand);
});

So, is there a big security hole here? Should access="remote" be used only for retrieving data?

Answer 1

No, access='remote' does not need to be used only for retrieving data, but it does need to be used carefully and with an understanding of the security implications.

The way you have that set right now, anyone would be able to make a call to insert something into your DB (assuming there are no other access controls that we are not seeing). So you probably should be implementing some type of access control to protect this and other functions.

Now I am going to assume that you did not put the word "easily" in your question and I am going to put in the word "practically" instead. When it comes to security, there is rarely an "easy".

So there are several ways you could protect these methods. A lot depends on how you want to do it and what you are doing already.

1. If you are using <cflogin> you may be able to add roles="<Your Admin role name>" to the function. I have never tried this, but I suspect it would work. (Personally, I do not like this method for several reasons, but it is an option)

2. You can put some sort of authorization code at the top of the function.

<cfif NOT mySecurityCFC.isAuthorized(COOKIE.CFID,COOKIE.CFTOKEN)><cfreturn /></cfif>

I don't like this method either.

1. You could use the new onCFCRequest() method of App.cfc in ColdFusion 9 to intercept requests and run them through your authorization routine. This is cleaner than option 2. I would say this is the easiest option, and would work effectively, but I, personally like option 4 better.

2. The ColdSpring project has some great tools for automatically creating and working with remote proxy objects that can also incorporate security through Aspect-Oriented Programming (AOP). The combination of remote proxies and AOP is extremely powerful and can allow you to create the remote methods without exposing the real underlying objects and to intercept and authorize each request to those methods without having to stich code into every method. In fact, the methods themselves are not even aware they are being secured.

I would choose option 4. It may sound like a daunting and extremely high-level process, and in some ways it is, but it is actually quite a lot easier than you might think to implement. The steps are outlined in the ColdSpring quick start guide. http://www.coldspringframework.org/index.cfm/go/documentation