BTW, are you ever going to change the admin password from admin?
----- Original Message -----
From: Tony Weeg <[EMAIL PROTECTED]>
Date: Tuesday, March 23, 2004 10:52 am
Subject: RE: Securing CF Apps.
> here is a snippet that I use in my application.cfm files to
> prevent cf tags
> in form fields...
>
> I think the webrat made this...good idea nonetheless.
>
> <!--- This section protects against FORM Hacks in which a user (if
> they knew
> coldfusion) could set session variables
> by typing in coldfusion in a field value and submitting it to the
> server for
> evaluation. ~Todd R --->
> <!--- ANTI HACKER ---><!--- ANTI HACKER ---><!--- ANTI HACKER ---
> ><!--- ANTI
> HACKER ---><!--- ANTI HACKER --->
> <cfif isDefined("FORM") and IsStruct(FORM) and StructCount(FORM)
> GT "0">
> <cfloop collection="#FORM#" item="y">
> <cfset checkHackAgainst = evaluate(y)>
> <cfif checkHackAgainst contains "<CF">
> <cflocation url=""> > addtoken="No">
> </cfif>
> </cfloop>
> </cfif>
> <!--- ANTI HACKER ---><!--- ANTI HACKER ---><!--- ANTI HACKER ---
> ><!--- ANTI
> HACKER ---><!--- ANTI HACKER --->
>
> -----Original Message-----
> From: Burns, John D [EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 12:47 PM
> To: CF-Talk
> Subject: RE: RE: Securing CF Apps.
>
> My personal opinion is that your app should be smart enough not to let
> people pass SQL commands in the URL. I would imagine that
> everyone knows
> that much.
>
> I think some of the suggestions that have come out were just
> mentioning what
> could be done to help prevent a lot of trouble if people somehow
> get access
> to the code by compromising the server. That was Adam's thing
> about using
> Stored Procedures. Then if someone somehow downloaded all of your
> code,they couldn't figure out your database structure by looking
> through your
> CFQUERY calls. I think he would agree that it's still not 100%
> secure by
> any means but it does solve that particular problem for people
> figure out
> your schema by seeing your queries.
>
> The other suggestion that I would make is that on pages where
> you're doing
> some kind of database manipulation queries based on form or url
> variables to
> do a check to make sure that the request is coming from the same
> domain or
> have a list of acceptable domains if you're expecting posts from other
> domains. That can help to prevent hackers from posting to your
> pages unless
> somehow they can execute the code from your server, in which case,
> you have
> some other problems that you need to address.
>
> My 2 cents,
>
> John
>
> -----Original Message-----
> From: Kazmierczak, Kevin [EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 12:40 PM
> To: CF-Talk
> Subject: RE: RE: Securing CF Apps.
>
>
> I agree that data validation is the most important thing you can do.
> But if you have information that you don't want a user messing
> around with
> that happens to be in a form or url, it doesn't seem like there
> isn't any
> harm in weakly encrypting it. For example, this might deter my
> grandma from
> inserting drop table SQL commands in the url.
>
> If a hardcore hacker hits your site, you look for the most recent
> backup;)
>
> Kevin
>
> _____
>
> From: Kwang Suh [EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 11:59 AM
> To: CF-Talk
> Subject: Re: RE: Securing CF Apps.
>
> What exactly are you doing in your application that demands wimpy
> "ecryption"?
>
> And what do you when the "hardcore" hacker hits your site?
>
> Sounds to me that people do silly, potentially harmful things like url
> encryption simply because they don't properly consider data input,
> outputand transfer and then make themselves feel better by saying
> that it deters
> "casual" hackers, whatever the hell that means.
>
> ----- Original Message -----
> From: "Kazmierczak, Kevin" <[EMAIL PROTECTED]>
> Date: Tuesday, March 23, 2004 9:49 am
> Subject: RE: Securing CF Apps.
>
> > Yeah I agree encrypting all variables is a bit much, but
> encrypting
> > some of them might be enough to make the casual hacker move on
> to a
> > differentserver without encrypted variables. If that person
> really
> > wanted to decrypt those variables, they could. The most
> important
> > thing to do is to make sure data is validated before you do
> anything
> > with it.
> >
> > Kevin
> >
> > _____
> >
> > From: Kwang Suh [EMAIL PROTECTED]
> > Sent: Tuesday, March 23, 2004 11:39 AM
> > To: CF-Talk
> > Subject: Re: Securing CF Apps.
> >
> > There is nothing inherently wrong with letting users see
> fuseaction
> > names.
> >
> > And to use a very weak form of "encryption" that makes you think
> that
> > you're somehow safe against attacks is an extremely bad
> situation to
> > be in.
> >
> > ----- Original Message -----
> > From: Adrocknaphobia <[EMAIL PROTECTED]>
> > Date: Tuesday, March 23, 2004 9:24 am
> > Subject: Re: Securing CF Apps.
> >
> > > Point being, if you want a secure app, don't let users see
> your
> > > fuseaction names.
> > >
> > > -adam
> > >
> > > > -----Original Message-----
> > > > From: Kwang Suh [EMAIL PROTECTED]
> > > > Sent: Tuesday, March 23, 2004 04:14 PM
> > > > To: 'CF-Talk'
> > > > Subject: Re: Securing CF Apps.
> > > >
> > > > > Yes. All URL and FORM variables should be encypted.
> > > >
> > > > This is beyond silly.
> > > >
> > > > Especially if
> > > > > you are using a fusebox methodology.
> > > >
> > > > Using or not using Fusebox has nothing to do with the situation.
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > _____
> >
> >
> >
> >
> _____
>
>
>
>
>
>
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
