RE: Security holes revisited -- reward offered

Tue, 04 Apr 2000 14:45:34 -0700 

Did you just admit on a public forum to committing fraud , or were you just
using that as a hypothetical example? <grin>

Chris Evans
[EMAIL PROTECTED]
http://www.fuseware.com


-----Original Message-----
From: Tariq Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 04, 2000 3:34 PM
To: [EMAIL PROTECTED]
Subject: Re: Security holes revisited -- reward offered


> I know, but I am more than likely missing some stuff.  Anyone care to
share
> their CF/NT/IIS security checklist or other advice?
>
> It's escalated into all-out war.  He is going to stop at nothing to make
me
> look bad, and I will stop at nothing to prevent him from succeeding.

        That's kind of a cool situation. I love drama. :) I would say with
your application, make sure if you're passing variables in the URL string
that they can't do anything super bad by tinkering with the URL.
As well.. that if they save a form to their PC, and then alter values,
and hit submit.

        When I worked at PSINet, we had an E-Commerce solution. And
WorldPay was saying their solution is better. So they had my evaluate
it. This was 2 years ago, so I'm sure it's secure now (our solution was
using Open Market, which md5 encrypts the URL so that it can tell if the
URL was tinkered). But I went to one of their profile stores, saved
the ordering form. Changed how much some item was from ~$180.00 to $1.50,
hit submit and a few days later got my present. :)

        Don't know about NT security.... but along the lines of UNIX
security, turn off anything you don't absolutely need (ie services). If
he's been watching the news he'll probably download the denial of service
attack software.


              Tariq Ahmed - [EMAIL PROTECTED] - ICQ 6308515
         TIBCO Finance Technology - Web Group - Senior Web Engineer
     Work: 650-461-3472   Pager: 800-759-8888x1702632   Fax: 650-461-3003
                 3375 Hillview Avenue. Palo Alto, CA. 94304.

----------------------------------------------------------------------------
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.


------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Reply via email to