Pete, thanks for those additions. The guys at builtwith.com were reticent
to go ‘snooping’ on people’s servers since they didn’t think admins would
like it. They also have millions of domains they check, so I’m sure they
try to stick to as few HTTP hits to each domain as possible. They had
asked me what they could look for on a Lucee site’s home page.
You can already identify an unhardened server as running Lucee very
easily, so adding a header would just be another step for people to do when
locking down the server.
Here’s a few things HackMyCF looks for to identify lucee:
I passed that suggestion on to them. I pointed out it’s not part of the
admin so it most likely won’t be seen as malicious traffic and will be less
likely to be locked down.
You can already identify an unhardened server as running Lucee very
easily, so adding a header would just be another step for people to do when
locking down the server.
Here’s a few things HackMyCF looks for to identify lucee:
On Fri, Mar 27, 2015 at 1:10 PM, Jochem van Dieten <joc...@gmail.com <javascript:>> wrote:
On Fri, Mar 27, 2015 at 12:53 AM, Nando Breiter wrote:
I’m not sure how best to phrase this properly, but the gist of it is
that a determined, very skilled hacker will likely manage to penetrate any
server.
One of our clients, an ISO 27001 certified company, put in their security
policy that “attacks by nation states and terrorists, possibly assisted by
legal or physical coercion, is out of scope”. I like that phrasing.
So while this statement seems factually true, in practice, I don’t think
a disclosure identifying Lucee would matter in nearly all cases … as a
common sense perspective on the issue.
Except that after this very public discussion putting this header in
would signal to the whole world that Lucee values marketing over best
practices. I think that would more than negate any hypothetical marketing
benefits.
given the fact that it’s so simple to identify Lucee, I will reiterate my
opinion that a Powered-By header, with an option to disable it, does not
make Lucee less secure in any way.
If someone - for some daft reason - wants to add an “x-powered-by” header
to their responses they can.
But it’s just shit house marketing, serving almost no purpose, so -
seriously - why waste time with this? If Lucee was already adding it by
default I’d be all for an E/R to be able to switch it off, but this is just
a non-event of a suggestion, other than being a mild vector for
exploitation.
To the ppl who advocate it… would you ever consider adding this sort of
thing by hand? No. So why ask for it to be integrated into the platform?
I know that PHP does this. I guess there is no real purpose, other than
marketing and making it easier for script kiddies to find suitable victims.
For PHP it’s better to disable the flag entirely since it shows the PHP
version and therefore makes the server more vulnerable to attacks.
Well… quite.On Tuesday, 31 March 2015 18:59:39 UTC+1, Igal wrote:
given the fact that it’s so simple to identify Lucee, I will reiterate
my opinion that a Powered-By header, with an option to disable it, does
not make Lucee less secure in any way.
I passed that suggestion on to them. I pointed out it’s not part of
the admin so it most likely won’t be seen as malicious traffic and
will be less likely to be locked down.
Probably the easiest one would be make a request to
/lucee/form.cfm if it contains "LuceeForms" you are running Lucee.
+1
Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>
On 3/31/2015 10:02 AM, Pete Freitag wrote:
You can already identify an unhardened server as running Lucee
very easily, so adding a header would just be another step for
people to do when locking down the server.
Here's a few things HackMyCF looks for to identify lucee:
/lucee/doc/index.cfm
/lucee/admin/server.cfm
/lucee/form.cfm
Probably the easiest one would be make a request to
/lucee/form.cfm if it contains "LuceeForms" you are running Lucee.
--
Pete Freitag
https://foundeo.com/ <http://foundeo.com/> - ColdFusion
Consulting & Products
http://hackmycf.com - CFML Server Security Scanner
--
You received this message because you are subscribed to the
Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to lucee+unsubscribe@googlegroups.com
<mailto:lucee+unsubscribe@googlegroups.com>.
To post to this group, send email to lucee@googlegroups.com
<mailto:lucee@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAADZ8V58x3Lj6EJrw5%3DAg3BP79VPyx_9PscThPnha1qbVt88xA%40mail.gmail.com
<https://groups.google.com/d/msgid/lucee/CAADZ8V58x3Lj6EJrw5%3DAg3BP79VPyx_9PscThPnha1qbVt88xA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in
the Google Groups "Lucee" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/lucee/ps2ST5N4jFU/unsubscribe.
To unsubscribe from this group and all its topics, send an email
to lucee+unsubscribe@googlegroups.com
<mailto:lucee+unsubscribe@googlegroups.com>.
To post to this group, send email to lucee@googlegroups.com
<mailto:lucee@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/551ADAC0.8040703%40lucee.org
<https://groups.google.com/d/msgid/lucee/551ADAC0.8040703%40lucee.org?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
Powered by Adobe ColdFusion. We safe :-)On Fri, Mar 27, 2015 at 1:10 PM, Jochem van Dieten <@Jochem_van_Dieten> wrote:
On Fri, Mar 27, 2015 at 12:53 AM, Nando Breiter wrote:
I’m not sure how best to phrase this properly, but the gist of it is that
a determined, very skilled hacker will likely manage to penetrate any
server.
One of our clients, an ISO 27001 certified company, put in their security
policy that “attacks by nation states and terrorists, possibly assisted by
legal or physical coercion, is out of scope”. I like that phrasing.
So while this statement seems factually true, in practice, I don’t think
a disclosure identifying Lucee would matter in nearly all cases … as a
common sense perspective on the issue.
Except that after this very public discussion putting this header in would
signal to the whole world that Lucee values marketing over best practices.
I think that would more than negate any hypothetical marketing benefits.
You can already identify an unhardened server as running Lucee very
easily, so adding a header would just be another step for people to do
when locking down the server.
Here’s a few things HackMyCF looks for to identify lucee:
On Fri, Mar 27, 2015 at 1:10 PM, Jochem van Dieten joc...@gmail.com wrote:
On Fri, Mar 27, 2015 at 12:53 AM, Nando Breiter wrote:
I’m not sure how best to phrase this properly, but the gist of it is
that a determined, very skilled hacker will likely manage to penetrate any
server.
One of our clients, an ISO 27001 certified company, put in their
security policy that “attacks by nation states and terrorists, possibly
assisted by legal or physical coercion, is out of scope”. I like that
phrasing.
So while this statement seems factually true, in practice, I don’t
think a disclosure identifying Lucee would matter in nearly all cases …
as a common sense perspective on the issue.
Except that after this very public discussion putting this header in
would signal to the whole world that Lucee values marketing over best
practices. I think that would more than negate any hypothetical marketing
benefits.
On Fri, Mar 27, 2015 at 1:10 PM, Jochem van Dieten joc...@gmail.com wrote:
On Fri, Mar 27, 2015 at 12:53 AM, Nando Breiter wrote:
I’m not sure how best to phrase this properly, but the gist of it is
that a determined, very skilled hacker will likely manage to penetrate any
server.
One of our clients, an ISO 27001 certified company, put in their
security policy that “attacks by nation states and terrorists, possibly
assisted by legal or physical coercion, is out of scope”. I like that
phrasing.
So while this statement seems factually true, in practice, I don’t
think a disclosure identifying Lucee would matter in nearly all cases …
as a common sense perspective on the issue.
Except that after this very public discussion putting this header in
would signal to the whole world that Lucee values marketing over best
practices. I think that would more than negate any hypothetical marketing
benefits.
You can already identify an unhardened server as running Lucee very easily,
so adding a header would just be another step for people to do when locking
down the server.
Here’s a few things HackMyCF looks for to identify lucee:
Probably the easiest one would be make a request to /lucee/form.cfm if it
contains “LuceeForms” you are running Lucee.–
Pete Freitag https://foundeo.com/http://foundeo.com/ - ColdFusion Consulting &
Products http://hackmycf.com - CFML Server Security Scanner
Normally, x-powered-by required to be turn off if site required PCI
compliance.On Thursday, 26 March 2015 23:29:43 UTC+5:30, Brad Wood wrote:
Like, I mentioned in this thread https://groups.google.com/d/topic/lucee/0Al-xZy8WeA/discussion, I
submitted Lucee as a new technology to builtwith.com the other day. I’ve
been E-mailing back and forth with their support discussing how to best
identify a Lucee (or any CFML) server. Common approaches are:
File extensions (not specific to Lucee, can be hidden with URL
rewrites)
Common session cookies (not specific to Lucee)
Admin URL (they’re reticent to scan for these, can also be hidden)
Cause an error like a 404 and hope for standard error page (they’re
not doing this yet, only works if no global error handler in place)
What’s the general consensus for adding a default HTTP header to Lucee
that be disabled by an admin that has something like:
X-Powered-By: Lucee
I’m well aware this sort of thing flies in the face standard server
hardening, but it’s been a very common occurrence in technologies such as
.NET or PHP and I can’t help but wonder if it’s made those technologies
look “more used” just because they’re easy to identify.
Igal,
Given that we need thing like lockdown guides and many of the comments I hear when people use them are “why didn’t it install this way by default?” I would suffer that if you want to add it, then turn it OFF by default and then people can turn it on if they want to.
That is from the “security” part of me. The other part of me says well if we are talking about moving so many things out to a plugin type where you add in just what you need, then why in the world would we add in something that will either edit http response codes or the html output of our carefully crafted web pages.
If someone really wants it then they can add a header to their webserver, leave the app engine out of it.
just my opinion.
SteveSent from my iPhone
On Mar 31, 2015, at 1:59 PM, Igal @ Lucee.org <@Igal> wrote:
given the fact that it’s so simple to identify Lucee, I will reiterate my opinion that a Powered-By header, with an option to disable it, does not make Lucee less secure in any way.
On 3/31/2015 10:45 AM, Brad Wood wrote:
I passed that suggestion on to them. I pointed out it’s not part of the admin so it most likely won’t be seen as malicious traffic and will be less likely to be locked down.
You can already identify an unhardened server as running Lucee very easily, so adding a header would just be another step for people to do when locking down the server.
Here’s a few things HackMyCF looks for to identify lucee:
I can’t believe I’m the only one who thinks this site is crazy for calling
everything a framework. You can’t just go changing terminology. I’ve been
around for more than 20 years an I’ve never heard anyone refer
to Perl as a “Framework”. I also checked all my public sites over the last
two years running cfml and not one of them lists that they are running
CFML. Sites like this are bad for languages and technologies. In my opinion
they
should take the site down.
