"Jeff Ebeling" <jebeling@analysts.com> wrote in message
news:ek0Os8NlEHA.2764@TK2MSFTNGP11.phx.gbl...
> Hi all,
>
> I am a security engineer (new to the newsgroup) who just completed an Cold
> Fusion application security assessment. I found that the "application" was
> really a portal to multiple CF applications with single signon (SSO)
> implemented in CF. The web server is obviously IIS.
>
> The CF SSO implementation prevents access to (execution of) any files with
> the .cfm extension without valid CF cookies that are established via a CF
> login page. However, files used by, and linked from, the served pages
> without the .cfm extension are served by IIS regardless of whether or not
> the CF cookies associated with SSO are valid. All this is expected
behavior,
> but creates a serious security hole as any non-CF files can be accessed
> without logging in as long as the client knows the URL of the resource.
>
> I'm trying to find a good recommended solution that does not require
> extensive rewriting of all of the application code or require the user to
> authenticate more than once. I know that IIS can be set to protect
> individual files and directories, but to do so would require that the user
> authenticate to the windows server. I would much prefer a solution that
only
> required modification of the CF login script. Is there some way to have
the
> CF login script so the authentication and then set a non-persistent cookie
> on the client that IIS will then use for client authorization prior to
> serving files that are access contolled, without requesting that the user
> manually authenticate? Alternatively, can IIS be setup to redirect to a
Cold
> Fusion script to serve pages with specific extensions or in specific
> directories?
>
> There has got to be some easy way to do this, but I have yet to discover a
> solution. I would think that most CF apps running on IIS that use CF based
> authentication for security have the same flaw.
>
> My apologies, if this has been covered previously.
>
> Thanks,
>
> Jeff
>
>