Hi Adam, more than willing to share anything that is found.
So far its all bugs really. David was able to create an account that should allow only uploading of one ad that has an item price higher than $2 and also allows uploading of 50 free items. He then went and posted his paid ad and free ads, then edited the free ads to have a higher item price than $2. In short, he was able to post more ads than he paid for. And the other bug was that he could upload as many $2 ads as he wanted because the code had <= 2 instead of < 2 Nothing really shocking, even though they were not true hacks/cracks (as I'd hoped they'd be), I made the mistake of writing the instructions a little different for him, so I could not back out of paying up for it ;-) Lucas found that the CFAdmin was accessible, stupid me, still have the website on development. Could not let that one slip wihtout paying for it either. In regards to security; - basically using cfqueryparam everywhere - stored procs - do not allow html in any of the text fields - perform regex over all input - do not allow numerical values higher than 2,147,483,647 or less than -2,147,483,648 as we know for sure that our database only works with INTEGER data type - check that a user owns the record he is editing deleting - do not output any vars passed through the url, instead pass an integer and use a switch case stuff like that which everyone knows ;-) Still hoping someone comes along and is able to crack it with some fancy voodoo stuff like using hexidecimal values that I did not anticpate or something like that. PS. I am male and honestly don't care what jokes you crack about my name, at least I can say there is only one Taco Fleur in this world, I bet you can't say that about Andrew Scott.... PPS. thanks Barry for your support, I have to say it was difficult to do and very scary, but yes we do want to make sure all bases are covered and the clients get what they pay for. On 5/11/07, Adam Chapman <[EMAIL PROTECTED]> wrote: > > > Hi Taco > > Wondering if you are willing to share what you've discovered so others can > better hack proof their apps.. > > (when you've addressed those issues yourself of course ;) ) > > Cheers, > Adam > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
