Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
restricting access by IP address
Author: Samuel Neff
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165862
I talked to MM's security people before I blogged this in April. They said
it's not a bug because CF just gets whatever CGI variables are passed from
the web server so if the web server isn't passing the right variables it's
the web-server's bug. Can't really argue with that. A technote would be
nice though.. I'll bring it up again with that dept instead of with security
dept.
They did acknowlege that they could fix the bug in JWS but didn't file a bug
report since it's not intended for production use anyways.
I never tested with IIS6, only IIS5, and only how CF reacts to the CGI
variable not how IIS itself reacts (the discussion on this thread has been
mostly around using CF to restrict pages via CGI variables). I probably
should have been clearer.
Best regards,
Sam
----- Excess quoted text cut - see Original Post for more -----
With IIS 6, at least, if you specify an IP address restriction within the
IIS management console, IIS will reject requests for CF pages and static
files unless they come from that IP address, whether the request has a CGI
variable with the allowed address or not.
I hadn't really thought about how CF deals with those CGI variables, though,
and you're certainly right about that. Out of curiosity, do you know whether
that's been submitted as a bug to Macromedia?
Dave Watts, CTO, Fig Leaf Software
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165845
----- Excess quoted text cut - see Original Post for more -----
With IIS 6, at least, if you specify an IP address restriction within the
IIS management console, IIS will reject requests for CF pages and static
files unless they come from that IP address, whether the request has a CGI
variable with the allowed address or not.
I hadn't really thought about how CF deals with those CGI variables, though,
and you're certainly right about that. Out of curiosity, do you know whether
that's been submitted as a bug to Macromedia?
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Samuel Neff
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165809
IP Spoofing is easy. I've tested it and spoofed IP's using just CFML as the
spoofing client. You can send a request to a server from your IP and your
IP goes into the TCP/IP packet but can send a different IP in the HTTP
request as a CGI variable. None of IIS, iPlanet. or JWS test if the TCP/IP
supplied address is the same as the HTTP CGI address.
http://www.rewindlife.com/archives/000159.cfm
The link you provided talks about router level (tcp/ip) address spoofing but
it's sufficient to just provide a CGI variable in the HTTP packet to spoof
IP address.
IP based security at web server/web app level is not safe (router level is
much safer).
Best regards,
Sam
----------------------------------------------
Blog: http://www.rewindlife.com
Chart: http://www.blinex.com/products/charting
----------------------------------------------
> IP Spoofing is easy, I would also add a secure login
While I'd recommend a secure login as well, I would take issue with your
statement that "IP spoofing is easy". It is not easy, to the best of my
knowledge, to send a message to a web server that says you're using one IP
address and have it respond to your actual IP address, which would be
necessary to circumvent IP address restrictions within your application or
within the web server.
http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Techni
cal/Spoofing/default.htm
Dave Watts, CTO, Fig Leaf Software
Author: Tom Kitta
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165786
It is rather hard to spoof an ip address, while it is relatively easy to
spoof the domain name you are coming from. This is why you can take out
spamers based on the IP addresses they are using to spam you but not the
domain names they are using (the use whatever they like all the time).
TK
> IP Spoofing is easy, I would also add a secure login
While I'd recommend a secure login as well, I would take issue with your
statement that "IP spoofing is easy". It is not easy, to the best of my
knowledge, to send a message to a web server that says you're using one IP
address and have it respond to your actual IP address, which would be
necessary to circumvent IP address restrictions within your application or
within the web server.
http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Techni
cal/Spoofing/default.htm
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165779
> IP Spoofing is easy, I would also add a secure login
While I'd recommend a secure login as well, I would take issue with your
statement that "IP spoofing is easy". It is not easy, to the best of my
knowledge, to send a message to a web server that says you're using one IP
address and have it respond to your actual IP address, which would be
necessary to circumvent IP address restrictions within your application or
within the web server.
http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Techni
cal/Spoofing/default.htm
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: techmike
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165777
What webserver is this? IIS?
If you have access to the IIS snapin it is very easy to setup ip address
restrictions. You can even setup an entire subnet. That would likely be
the safest route if security is an issue.
-Mike
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Drew
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165776
IP Spoofing is easy, I would also add a secure login
depends on how much effort is required and how sensitive the data is
you REALLY could go to town, I hear there are some nice fingerprint
reading tools out there too!
Up to you, usually secure enough for most applications
Hope that helps!
----- Excess quoted text cut - see Original Post for more -----
Author: John Wilker
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165775
My approach was the opposite but the implementation would work. I needed to
ban IPs from my blog.
<cfquery datasource="#ATTRIBUTES.datasource#" name="qCheckForBannedIPs">
SELECT IP FROM BANNEDLIST WHERE IP = '#CGI.REMOTE_ADDR#'
</cfquery>
<CFIF qCheckForBannedIPs.Recordcount GT 0>
<CFSET VARIABLES.Banned = 1>
<CFELSE>
<CFSET VARIABLES.Banned = 0>
</CFIF>
_____
Sent: Tuesday, June 08, 2004 5:54 AM
To: CF-Talk
Subject: restricting access by IP address
Hi all
how to restrict access for my apps based on IP Address? How to restrict
access for only IP address like: 192.168.200.3, 192.168.200.7,
192.168.200.11? It's possible? How? Application.cfm?
Thanx for your time.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
_____
Author: Philip Arnold
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165773
> From: Spectrum WebDesign
>
> how to restrict access for my apps based on IP Address? How
> to restrict access for only IP address like: 192.168.200.3,
> 192.168.200.7, 192.168.200.11? It's possible? How?
> Application.cfm?
In Application.cfm you could list all of the relevant IP addresses, then
if the current address isn't there, display a "not authorized" and
<CFABORT>
Author: Tony Weeg
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165772
you sure could.
there are myriad ways to accomplish, prolly a few less ways to get around it
or spoof it, but would be a fairly good first layer of sec.
is this to protect an intranet or something?
tw
You could use something like
<cfif #CGI.REMOTE_ADDR# is "196.168.0.3">
whatever
</cfif>
Not exactally how secure that would be.. I'm still learning here.. :)
----- Excess quoted text cut - see Original Post for more -----
Author: techmike
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165771
You could use something like
<cfif #CGI.REMOTE_ADDR# is "196.168.0.3">
whatever
</cfif>
Not exactally how secure that would be.. I'm still learning here.. :)
----- Excess quoted text cut - see Original Post for more -----
Author: CFDEV
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165770
Is that easy to go by? is it secure to do that or it would be easy to find a
work around?
Pat
_____
Sent: June 8, 2004 09:07
To: CF-Talk
Subject: Re: restricting access by IP address
Hi there,
this is usually carried out with the webserver rather than
Application.cfm as if you needed to change it you would have to recode
it.
Having said that you could add something at the top of APplication.cfm
along the lines of
<cfset lAuthIps = "192.168.200.3,192.168.200.7,192.168.200.11">
<cfif ListFind(lAuthIps , CGI.REMOTE_ADDR) EQ 0>
You are not allowed here
<cfabort>
</cfif>
Hope that helps
>
> Hi all
>
> how to restrict access for my apps based on IP Address? How to restrict
access for only IP address like: 192.168.200.3, 192.168.200.7,
192.168.200.11? It's possible? How? Application.cfm?
----- Excess quoted text cut - see Original Post for more -----
_____
Author: Mark Drew
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165769
Hi there,
this is usually carried out with the webserver rather than
Application.cfm as if you needed to change it you would have to recode
it.
Having said that you could add something at the top of APplication.cfm
along the lines of
<cfset lAuthIps = "192.168.200.3,192.168.200.7,192.168.200.11">
<cfif ListFind(lAuthIps , CGI.REMOTE_ADDR) EQ 0>
You are not allowed here
<cfabort>
</cfif>
Hope that helps
----- Excess quoted text cut - see Original Post for more -----
Author: Spectrum WebDesign
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33044#165768
Hi all
how to restrict access for my apps based on IP Address? How to restrict access
for only IP address like: 192.168.200.3, 192.168.200.7, 192.168.200.11? It's
possible? How? Application.cfm?
Thanx for your time.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
