I remember one advisory, it was related to CF3 Administrator. The password field length was only secured by the form "maxlength" attribute, not on server side. Thus, someone could kill a CF server by posting to the administrator login screen password field some very long string. The application would than try to "compare" that string with actual password - which was a time consuming operation for large strings. Through this in itself doesn't give root access it crashes the CF server and possibly makes server hacking easier.
TK -----Original Message----- From: Russ [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 11:12 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices Yea, personally I don't remember ever reading any security advisories about ColdFusion. Sure coldfusion has bugs, but I don't ever remember anything serious enough to allow people to hack into the server. (although a poorly configured server is probably full of holes, but that's not coldfusion's fault). Meanwhile I remember a lot of very dangerous bugs in ASP and PHP which caused people's machines to be rooted. That security consultant needs to stop using the knowledge he learned at some fly-by-night security school, and get a real education. Russ -----Original Message----- From: Ken Ferguson [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 11:10 AM To: CF-Talk Subject: Re: ColdFusion Security Holes - Best Practices You're totally right Thomas. Better to use the phone number to get the address, follow him (where "him" is any suitable employee) from work to the bar, lift his security badge / keycard after he's 3-sheets-to-the-wind, excuse yourself, drive back and enter the building, locate the server room, sit down in front of the machine and have fun!!!! Security always has holes -- always!!! I think the point we've all managed to illustrate is that CF is not a security risk in and of itself. CF, .NET, PHP... installations are all just as easily easily left insecure by bad practices and with relatively equivalent ease can be made just about equally secure. --Ferg. Thomas Chiverton wrote: >On Friday 07 October 2005 15:08, Mark A Kruger wrote: > > >>so you can even call him directly and ask him whatever you want to know >>about his server ;-)) >> >> > >He will, of course, be well trained in counter-social engineering and work for >a company with well defined and enforced information security policies, and >immediately demand to know who you are, where you got the number and when >would be a good time to call back. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220356 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
