Hi. I am evaluating the security of my application as regards malicious
attack via manipulation of the Cookie, URL, or Form variables. I know about
the business with submission of unauthorized SQL statements, and have
already screened for it. But then there is the issue of unauthorized script
insertion. For example, if a form asks for a value (FormVar) and the action
page displays that value (<CFOUTPUT>#Form.FormVar#</CFOUTPUT>), the educated
user can submit things other than those intended, causing interesting
results. If they enter <font color="red">Check this out!</font>, the next
page will display Check this out! in red letters. I have also successfully
passed JavaScript like this. Going on my basic (and hopefully correct)
assumption that JavaScript is set up so that it cannot (a) harm the user's
machine or (b) harm the server, I am not going to worry about this, since
the worst a user will do is pass themselves a JavaScript routine that
produces an error.
That is fine for client-side scripting, but I am worried about server-side
scripting. Submission of ColdFusion code through these variables shouldn't
matter, since it won't appear in the template until after ColdFusion
processing has occurred, meaning that the inserted code itself will not be
processed. Are there any other scripting languages, though, that would be
evaluated on the server side AFTER the CFAS processes the template?
Thanks,
Matthieu
______________________________________________________________________
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
