back home (France), Fleur is a chick first name, so I always thought you were a girl as well.
taco means something in French too (and I'm not talking DnD) but I won't translate it ;-) Tof On 5/11/07, Taco Fleur <[EMAIL PROTECTED]> wrote: > > Hi Adam, > > more than willing to share anything that is found. > > So far its all bugs really. > > David was able to create an account that should allow only uploading of > one ad that has an item price higher than $2 and also allows uploading of 50 > free items. He then went and posted his paid ad and free ads, then edited > the free ads to have a higher item price than $2. In short, he was able to > post more ads than he paid for. > > And the other bug was that he could upload as many $2 ads as he wanted > because the code had <= 2 instead of < 2 > > Nothing really shocking, even though they were not true hacks/cracks (as > I'd hoped they'd be), I made the mistake of writing the instructions a > little different for him, so I could not back out of paying up for it ;-) > > Lucas found that the CFAdmin was accessible, stupid me, still have the > website on development. Could not let that one slip wihtout paying for it > either. > > In regards to security; > - basically using cfqueryparam everywhere > - stored procs > - do not allow html in any of the text fields > - perform regex over all input > - do not allow numerical values higher than 2,147,483,647 or less than > -2,147,483,648 as we know for sure that our database only works with INTEGER > data type > - check that a user owns the record he is editing deleting > - do not output any vars passed through the url, instead pass an integer > and use a switch case > stuff like that which everyone knows ;-) > > Still hoping someone comes along and is able to crack it with some fancy > voodoo stuff like using hexidecimal values that I did not anticpate or > something like that. > > PS. I am male and honestly don't care what jokes you crack about my name, > at least I can say there is only one Taco Fleur in this world, I bet you > can't say that about Andrew Scott.... > > PPS. thanks Barry for your support, I have to say it was difficult to do > and very scary, but yes we do want to make sure all bases are covered and > the clients get what they pay for. > > On 5/11/07, Adam Chapman <[EMAIL PROTECTED]> wrote: > > > > > > Hi Taco > > > > Wondering if you are willing to share what you've discovered so others > > can better hack proof their apps.. > > > > (when you've addressed those issues yourself of course ;) ) > > > > Cheers, > > Adam > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
