>> I agree with the descriptine file names, etc., but what's
>> wrong with naming
>> it *.udf?
> People could download and view your UDFs. I've even used .cfm extensions
> on xml files for that reason. I also have a system in place where any
> file with a 3-letter prefix and underscore (e.g. act_deleteaccount.cfm)
> cannot be run directly. You do this by placing
> <cfif REFind("/..._", CGI.SCRIPT_NAME)>
> <cflocation url="">
> </cfif>
> in application.cfm . This is similar to a technique in fusebox where you
> force everything thru index.cfm .
This in combination with <cfabort> in an Application.cfm file in any
subdirectories used for include files are good and important security
measures. Entirely asside from people being able to see the source of a file
not named with .cfm by typing a url to it in their browser, users can
potentially bypass any or all of your security measures for a given feature
by typing in a url such as:
http://www.hackablesite.net/myadmin/dsn/act_datasourcedelete.cfm?datasourcei
d=5
or
http://www.hackablesite.net/myadmin/common/getsecuritycontext.cfm?username=a
dmin
In most cases it's a bit more difficult than that, but maybe not much more
difficult.
S. Isaac Dealey
Certified Advanced ColdFusion 5 Developer
www.turnkey.to
954-776-0046
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
