RE: Hacking Client Variables?
Depending on how your application works, someone could go CFID/CFTOKEN searching trying to find a still active session and try to hijack that session. I've seen it done by accident. Moving your client variables to a 36bit UUID helps with this and what I've done is created a timeoutvariable just in the case the user doesn't log out (and the client variable leaves him logged in) I note the date/time of his last visit and if its greater than 15 minutes of no activity (or whatever acceptable value for you) it clears the variables and requests re-authentication. -Original Message- From: Ben Schwemlein [mailto:[EMAIL PROTECTED] Sent: Sunday, March 09, 2003 8:45 PM To: CF-Talk Subject: Hacking Client Variables? Can anyone suggest a way to hack a query that has WHERE userid = '#CLIENT.userid#' in CF 5 and/or MX? Another developer has an application that has sensitive customer information that is encrypted at the database level, but not at the ColdFusion level. I think this is not secure, but I want some evidence before I make an objection. Any suggestions would help. Our client variables are contained in the Database, and the client IDs are sequential. If there is some way to externally hack and set the client variable, then a Hacker could get all customer info. Thanks, Ben ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Hacking Client Variables?
If your client variables are being stored on the database, then there is no way someone could modify the value, unless they had access to your database server (in which case you have bigger problems). The only interaction the user would have in this case are the CFID and CFTOKEN cookie or URL parameters, which simply act as a mapping for CF to know which client/session vars to use for their requests. -Justin Scott - Original Message - From: Ben Schwemlein [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Sunday, March 09, 2003 11:44 PM Subject: Hacking Client Variables? Can anyone suggest a way to hack a query that has WHERE userid = #CLIENT.userid# in CF 5 and/or MX? Another developer has an application that has sensitive customer information that is encrypted at the database level, but not at the ColdFusion level. I think this is not secure, but I want some evidence before I make an objection. Any suggestions would help. Our client variables are contained in the Database, and the client IDs are sequential. If there is some way to externally hack and set the client variable, then a Hacker could get all customer info. Thanks, Ben ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
