This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C044FA.EB0FDE60
Content-Type: text/plain;
charset="iso-8859-1"
>The database itself is sensitive enough that the owner does not want the
>userid and password put into the ColdFusion admin area either...
I'm curious, why do you consider the ColdFusion admin area insecure? Is
there a way the password can be discovered once its put there?
thanks,
Scott
-----Original Message-----
From: Larry W. Virden [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 02, 2000 4:41 AM
To: CF-Talk
Subject: Paranoid programming...
Okay - bear with me here folk!
Imagine one has a database (for example Oracle) which requires a user id
and password to access. Now, imagine writing an application to let joe
user to look up and insert info into this table. HOWEVER, we do not
want to generally publish the user id and password; we want the coldfusion
app as the 'gateway' into the table.
So far, so good.
However, because of the gateway issue, hard coding the userid and password
into the cfm files is out - the cfm files are in general accessible by
someone browsing the directories.
The database itself is sensitive enough that the owner does not want the
userid and password put into the ColdFusion admin area either...
If you had to write an app where the database userid and password:
could not be hard coded,
could not be put into the admin area,
could not be entered via prompting
what approach would you use? Putting it into a file - encrypted or not -
doesn't work; the files are readable and so someone could just copy them
and build their own 'pseudo' app that accesses the data, right?
Looking for 'outside the box' possible solutions.
If it helps, the platform for the server is SPARC Solaris.
--
Never apply a Star Trek solution to a Babylon 5 problem.
Larry W. Virden <mailto:[EMAIL PROTECTED]> <URL:
http://www.purl.org/NET/lvirden/>
Even if explicitly stated to the contrary, nothing in this posting should
be construed as representing my employer's opinions.
-><-
----------------------------------------------------------------------------
--------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a
message with 'unsubscribe' in the body to [EMAIL PROTECTED]
------_=_NextPart_001_01C044FA.EB0FDE60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>RE: Paranoid programming...</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>>The database itself is sensitive enough that the =
owner does not want the</FONT>
<BR><FONT SIZE=3D2>>userid and password put into the ColdFusion =
admin area either...</FONT>
</P>
<P><FONT SIZE=3D2>I'm curious, why do you consider the ColdFusion admin =
area insecure? Is</FONT>
<BR><FONT SIZE=3D2>there a way the password can be discovered once its =
put there?</FONT>
</P>
<P><FONT SIZE=3D2>thanks,</FONT>
<BR><FONT SIZE=3D2>Scott</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Larry W. Virden [<A =
HREF=3D"mailto:[EMAIL PROTECTED]">mailto:[EMAIL PROTECTED]</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, November 02, 2000 4:41 AM</FONT>
<BR><FONT SIZE=3D2>To: CF-Talk</FONT>
<BR><FONT SIZE=3D2>Subject: Paranoid programming...</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>Okay - bear with me here folk!</FONT>
</P>
<P><FONT SIZE=3D2>Imagine one has a database (for example Oracle) which =
requires a user id</FONT>
<BR><FONT SIZE=3D2>and password to access. Now, imagine writing =
an application to let joe</FONT>
<BR><FONT SIZE=3D2>user to look up and insert info into this =
table. HOWEVER, we do not</FONT>
<BR><FONT SIZE=3D2>want to generally publish the user id and password; =
we want the coldfusion</FONT>
<BR><FONT SIZE=3D2>app as the 'gateway' into the table.</FONT>
</P>
<P><FONT SIZE=3D2>So far, so good.</FONT>
</P>
<P><FONT SIZE=3D2>However, because of the gateway issue, hard coding =
the userid and password</FONT>
<BR><FONT SIZE=3D2>into the cfm files is out - the cfm files are in =
general accessible by</FONT>
<BR><FONT SIZE=3D2>someone browsing the directories. </FONT>
</P>
<P><FONT SIZE=3D2>The database itself is sensitive enough that the =
owner does not want the</FONT>
<BR><FONT SIZE=3D2>userid and password put into the ColdFusion admin =
area either...</FONT>
</P>
<P><FONT SIZE=3D2>If you had to write an app where the database userid =
and password:</FONT>
<BR> <FONT SIZE=3D2>could not =
be hard coded,</FONT>
<BR> <FONT SIZE=3D2>could not =
be put into the admin area,</FONT>
<BR> <FONT SIZE=3D2>could not =
be entered via prompting</FONT>
<BR><FONT SIZE=3D2>what approach would you use? Putting it into a =
file - encrypted or not -</FONT>
<BR><FONT SIZE=3D2>doesn't work; the files are readable and so someone =
could just copy them</FONT>
<BR><FONT SIZE=3D2>and build their own 'pseudo' app that accesses the =
data, right?</FONT>
</P>
<P><FONT SIZE=3D2>Looking for 'outside the box' possible =
solutions.</FONT>
</P>
<P><FONT SIZE=3D2>If it helps, the platform for the server is SPARC =
Solaris.</FONT>
<BR><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Never apply a Star Trek solution to a Babylon 5 =
problem.</FONT>
<BR><FONT SIZE=3D2>Larry W. Virden <<A =
HREF=3D"mailto:[EMAIL PROTECTED]">mailto:[EMAIL PROTECTED]</A>> <URL: =
<A HREF=3D"http://www.purl.org/NET/lvirden/" =
TARGET=3D"_blank">http://www.purl.org/NET/lvirden/</A>></FONT>
<BR><FONT SIZE=3D2>Even if explicitly stated to the contrary, nothing =
in this posting should </FONT>
<BR><FONT SIZE=3D2>be construed as representing my employer's =
opinions.</FONT>
<BR><FONT SIZE=3D2>-><-</FONT>
<BR><FONT =
SIZE=3D2>---------------------------------------------------------------=
---------------------------------</FONT>
<BR><FONT SIZE=3D2>Archives: <A =
HREF=3D"http://www.mail-archive.com/cf-talk@houseoffusion.com/" =
TARGET=3D"_blank">http://www.mail-archive.com/cf-talk@houseoffusion.com/=
</A></FONT>
<BR><FONT SIZE=3D2>Unsubscribe: <A =
HREF=3D"http://www.houseoffusion.com/index.cfm?sidebar=3Dlists" =
TARGET=3D"_blank">http://www.houseoffusion.com/index.cfm?sidebar=3Dlists=
</A> or send a message with 'unsubscribe' in the body to =
[EMAIL PROTECTED]</FONT></P>
</BODY>
</HTML>
------_=_NextPart_001_01C044FA.EB0FDE60--
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
