Of course there is no disrespect Charlie. I think we all need a big
group hug. ;-)
Dean H. Saxe, CISSP, CEH
d...@fullfrontalnerdity.com
"Great spirits have often encountered violent opposition from weak
minds."
--Einstein
On Mar 11, 2009, at 11:05 AM, Charlie Arehart wrote:
Well, you did specifically call it a "completely useless waste of
time": :-)
You are correct Charlie, it only puts the hidden field there to tell
the server how to validate it. A completely useless waste of time,
since those hidden fields are removed by anyone who wants to bypass
your validation.
I realize you were referring primarily to the server-side validation
that CF
implements by use of hidden fields. And I get that you find it
unacceptable
because it's easily removed.
My point, though, was that for many apps, even if that validation was
removed, it wouldn't **open any security hole**.
Could Adobe do something more? Sure. Should they, to protect those
for whom
that risk opens a hole? Sure.
But does it really open a hole for everyone who uses it? I really
don't
think so. So I'm just saying it's not "a completely useless waste of
time".
To extend your argument, if someone creates a form and doesn't think
to do
any validation, I'd question THAT wisdom. If they use CFINPUT and
implement
client and/or server-side validation, since it takes just a single
attribute, I'd say "better than nothing".
Could they go still further? Sure. And until Adobe does make it
easier, I
agree with you guys that for many it would be worth it to find and
implement
another framework. But I think there are just as many for whom,
given what
their forms (and apps) do, it just may not be that critical.
All that said, I'm also not a fan of this server-side validation as
Adobe
has implemented it because it relies on presenting an error page,
and the
user must back up. In some browsers/situations, that can cause loss
of the
input. Again, I'm not saying that the CFINPUT server-side validation
is
perfect. Far from it. I'm just saying it's not really a "complete
waste of
time", at least not from this concern of it being removable. My
point is
that for many apps, even if it's removed, it doesn't open any
security hole.
It just causes errors that might otherwise have been avoided. Isn't
that
better than doing nothing (even if it's not as good as doing much
more)? :-)
Thanks for your kind regards, Dean, and you know this is all done in a
spirit of collegial debate. No disrespect intended at all.
/charlie
-----Original Message-----
From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H.
Saxe
Sent: Tuesday, March 10, 2009 4:54 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] over-stating security concerns? (was RE:
ValidateAt parameter is effectively only client side )
Charlie,
I never said its a waste of time. I probably said, its a waste of
time if there is no valid server side code to back it up. And by that
I mean server side code that cannot be manipulated by the client such
as you have with CFInput.
Here's the reality: The average coder writes some seriously
craptacular code. From a security perspective, its even worse.
Should every developer be a security guru? No. Should every
developer know and follow some best practices? Absolutely. Whether
its security or general design, every developer should be aware of
industry best practices and attempt to follow them. They won't get it
right every time, but if the do get it right 90% of the time we're a
long way toward solving some of the problems that plague us.
When writing it correctly takes marginally longer than writing it
incorrectly AND over the course of a project's lifetime saves time/
money by doing it correctly the first time, is there any reason NOT to
do it correctly? To put it another way, if a developer told you he
didn't want to bother to learn a framework because it would cost him a
week's time today, would you trust that he has sound judgement to
think about the full lifecycle of a project? I can save a week
today! (But it cost me many times that in the future because we had a
mess of spaghetti code...) I think the argument is the same.
Finally, many attacks are fully automated and looking for easy
targets. This just makes an easy target which, in turn, serves as a
launching point for other attacks.
I respect your opinion Charlie... even when you're wrong. ;-)
-dhs
Dean H. Saxe, CISSP, CEH
d...@fullfrontalnerdity.com
"Free speech exercised both individually and through a free press, is
a necessity in any country where people are themselves free."
-- Theodore Roosevelt, 1918
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------