> > I haven't done Coldfusion since CF4, however recently have been > tasked to look at a CF7MX appilication that has 3 security > > issues they are looking to fix. > > > > 1. Cross Site Scripting - I believe I have this one figured out > using the Admin Pannel's "Enable global script protection" > > 2. Format String Injection > > 3. Parameter Based Buffer Overflow > > > > I have been able to find generalized information on the other two > issues, but nothing as it relates to CF itself. Will the "Enable > > global script protection" fix these other two as well or should I be > looking elsewhere? Everything I am finding has to do with SQL > > injection and not Format String Injection, and I'm finding nothing > on Parameter Based Buffer Overflow. > > First, no, enabling global script protection will not fix all three > issues. In fact, it's not guaranteed to fix XSS issues; although it > may block many XSS attacks, it doesn't prevent XSS attacks generally, > it just filters data for known XSS attack strings. > > XSS attacks occur when an attacker can send client-side executable > code (typically JavaScript, but it could be anything else that an > HTML > page can tell a local computer to do) to your server, and your server > stores that and later delivers it to other users. The attack isn't > really targeting the server specifically, but rather those other > users. > > The other two things are attacks on your server, and are basically > similar to SQL injection: the attacker sends a value that your code > takes and passes directly to a function. XSS filtering has nothing to > do with them. For example, let's say you have a line of code like > this: > > <cfinclude template="#form.nextpage#.cfm"> > > An attacker could inject a value there, because you're taking data > directly from the browser and using it to do something. Now, that > specific attack wouldn't be very helpful to an attacker in most cases, > > but it shows you what I mean, I guess. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite.
And using the cfparam tags will help stop these type of attacks? Is there a good cold fusion security premier online about these kinds of things somewhere? By the way Figleaf is where I took my ColdFusion training way back when CF3 was the latest and greatest. Jamie ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
