-----Original Message-----
From: Tim Blair [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 11:37 AM
To: CF-Talk
Subject: RE: Securing CF Apps.
> anotha new level of confidence...and power....
Pantera - Vulgar Display Of Power :)
> If you want a secure app, don't let users see your fuseaction names.
If you want a secure app, don't let anyone use it... ;)
As for using the security of your DB instead of application-based security -
in my opinion this is possibly *less* secure - it means that anyone with a
login for your webapp automatically has a direct login for your database
server!
A few pointers I use when thinking about the security of CF web apps:
1. Make sure CF server is suitably locked down - e.g.:
- all services that aren't needed off (eg POP3 on a webserver)
- file ownership set correctly
- CF service running as a non-privileged user;
2. All incoming (URL/FORM/COOKIE/CLIENT stored in cookie) variables
filtered and checked for validity;
3. Use different datasources for different query types - have one
DS for SELECT-type queries (where the DB user only has SELECT
privs) and one for INSERTs etc (DB user has fuller privs);
4. ALWAYS use <CFQUERYPARAM> - in my experience the lack of
cachedwithin="" can either be overcome by using shared scopes
or is not fully used - for example if you're on a shared server
with tens or hundreds of separate web apps all using
cachedwithin then it's unlikely that your results will stayed
cached for long!
5. Sure, if your DBMS has the facility, use stored procedures, but
don't go over the top - the more complex your app, the more
difficult future maintenance will be and the more likely someone
will make a mistake that will lead to a possible exploitation
point.
6. Store passwords using a one-way hash value unless absolutely
necessary - there's no real problem generating a new password if
the user's forgotten their old one rather.
That's just a few things off the top of my head - I'm sure people can come
up with a whole lot more!
Tim.
--
-------------------------------------------------------
<CF_CodingContest mode="judging" newentries="false"> Maze Solver -
http://tech.badpen.com/cfcontest/
-------------------------------------------------------
RAWNET LTD - Internet, New Media and ebusiness Gurus.
WE'VE MOVED - for our new address, please visit our website at
http://www.rawnet.com/ or call us any time on 0800 294 24 24.
-------------------------------------------------------
This message may contain information which is legally privileged and/or
confidential. If you are not the intended recipient, you are hereby
notified that any unauthorised disclosure, copying, distribution or use of
this information is strictly prohibited. Such notification notwithstanding,
any comments, opinions, information or conclusions expressed in this message
are those of the originator, not of rawnet limited, unless otherwise
explicitly and independently indicated by an authorised representative of
rawnet limited.
-------------------------------------------------------
> -----Original Message-----
> From: Tony Weeg [mailto:[EMAIL PROTECTED]
> Sent: 23 March 2004 16:15
> To: CF-Talk
> Subject: RE: Securing CF Apps.
>
> I didn't used to use it...but now am changing all queries to use it,
> as I find them in my code...
>
> very cool, just anotha new level of confidence...and power....
>
> (if ya catch the lyric there, you're good)
>
> -----Original Message-----
> From: Ian Vaughan [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 10:54 AM
> To: CF-Talk
> Subject: RE: Securing CF Apps.
>
> Does anybody use the CFQUERYPARAM tag for securing sql which is
> highlighted at
>
> Securing Database Access Using the cfqueryparam Tag
> http://www.macromedia.com/devnet/mx/coldfusion/articles/cfquer
> yparam.htm
> l
>
>
>
> -----Original Message-----
> From: Tangorre, Michael [mailto:[EMAIL PROTECTED]
> Sent: 23 March 2004 15:27
> To: CF-Talk
> Subject: RE: Securing CF Apps.
>
>
> I do not encrypt all values in my forms (I do for URLs though).
> The reason I
> encrypt some form field values and not others is that they are not
> all
> important if altered by a malicious user...
>
> For instance. If I have a text box, I do not need to encrypt a
> date... My
> checks to ensure that the text supplied in that field is a date will
> take
> care of that. I encrypt important values that are used within
> queries:
>
> SELECT *
> FROM table
> WHERE someId = Decrypt(form.idfield,"key")
>
> This hides the type of values I am using to build the query with and
> it also
> limits the data that is exposed to the end user.
>
> Mike
>
> > > Yes. All URL and FORM variables should be encypted.
> > Especially if you
> > > are using a fusebox methodology.
> >
> > I've tried this, but my users were really upset with prompts
> > such as this:
> >
> > "Please Enter the Hash value of the date you would like"
>
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
