Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Couldn't you provide the functionality of adding a google search box in the CMS. That way you control how it is added /displayed etc? I think you're working very hard to preserve a textbook definition of what you think the client's software should be. The owner of that software may well disagree with your definition. They even may know what they need and how to safeguard themselves in ways that have nothing to do with ossifying their software. Listen to the client's needs and define your parameters based on those needs. Don't put blinders and earmuffs on. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271839 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On Tuesday 06 Mar 2007, Mik Muller wrote: will allow any access unless the referer is the same domain and of the paired edit/add page (with a few exceptions), ie; page_edit.cfm and page_edit_action.cfm (gotta love lists... my favorite thing). I did this Without realising that some people don't send the Referer: header ever ? Sometimes for reasons beyond their control. -- Tom Chiverton Helping to greatly foster viral relationships On: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271842 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: XSS - Cross Site Scripting
If you're using MX7 they have a setting called scriptProtect that can be set in both app.cfm an app.cfc to protect an individual scope or ALL. That should do the job to a certain extent. Rob -Original Message- From: Mik Muller [mailto:[EMAIL PROTECTED] Sent: 06 March 2007 16:44 To: CF-Talk Subject: XSS - Cross Site Scripting I'm on another list and heard the term XSS for the first time (honestly, I don't know where I've been for the past four years). http://en.wikipedia.org/wiki/Cross_site_scripting I've been using StripHTML() for a very long time in my message board SQL inserts, and only an hour ago learned of HTMLEditFormat() for the output. I've also recently put in code so that *NO* _action.cfm page on my site will allow any access unless the referer is the same domain and of the paired edit/add page (with a few exceptions), ie; page_edit.cfm and page_edit_action.cfm (gotta love lists... my favorite thing). I did this after looking in my logs and saw that there is a server in Amsterdam that has been periodically trying to create users on several of my sites since September, about three times a day, once per week. (The users they try to create, btw, are set up to advertise sex toy shops in Russia and Amsterdam! :-) Everything is related.) So my question is... what do other people on this list do to mitigate XSS attacks? If this is becomming a real problem we may want to share as many techniques as we can to ensure that CF sites have a reputation as being as hack-proof as possible. Another selling point. Mik Michael Muller Admin, MontagueMA.net Website work (413) 863-0030 cell (413) 320-5336 skype: michaelBmuller http://www.MontagueMA.net Eschew Obfuscation ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271733 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
The built in script protection has a secunia vulnerability posted against it stating there is a method to circumvent it. You can find it here: http://secunia.com/advisories/23281/ Simply checking the domain submitting is the referral etc is not always fool proof as we've found individuals on certain proxies get bounced everytime as performing invalid actions when they were not. The solution we came up with was salting a hash based on certain key pieces of information that come from the (authenticated) user with some randomization added, and putting that as a hidden in all forms. If the hash doesn't match up we bounce em before the form processing occurs. - dk ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271745 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
An old tried and true defense component is cfqueryparam. Search for xss and cross-site scripting and you should find a wealth of information going back years on the subject. The CF7 admin-level defense is, I have to say, not something I have any comfort level with. So far its gotten itself shut off for being too draconian. CMS users needing to input javascript into their web pages were denied and that was the end of that. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271782 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
CMS users adding JS?! Tut tut :-) This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matt Robertson To: CF-Talk Sent: Tue Mar 06 21:54:51 2007 Subject: Re: XSS - Cross Site Scripting An old tried and true defense component is cfqueryparam. Search for xss and cross-site scripting and you should find a wealth of information going back years on the subject. The CF7 admin-level defense is, I have to say, not something I have any comfort level with. So far its gotten itself shut off for being too draconian. CMS users needing to input javascript into their web pages were denied and that was the end of that. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271784 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: CMS users adding JS?! Tut tut :-) Explain successfully to the client why they can't do the work they want, and they shouldn't want it, and you can tut all you like. I'll even let a 'harumph' slide :D -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271785 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
Lol, just say oi, no! This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matt Robertson To: CF-Talk Sent: Tue Mar 06 22:16:37 2007 Subject: Re: XSS - Cross Site Scripting On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: CMS users adding JS?! Tut tut :-) Explain successfully to the client why they can't do the work they want, and they shouldn't want it, and you can tut all you like. I'll even let a 'harumph' slide :D -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271786 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
An old tried and true defense component is cfqueryparam. For XSS? How does that do anything? It will prevent SQL injection, but that's a totally different attack. The CF7 admin-level defense is, I have to say, not something I have any comfort level with. So far its gotten itself shut off for being too draconian. CMS users needing to input javascript into their web pages were denied and that was the end of that. There are easy ways around that. First, you can set the script-protect in your application to not include form variables. That will at least protect you against URL, cookie and CGI-based XSS to some extent. But a better approach would be to have them input the javascript in the forms using a different format for the javascript tag that you then search-and-replace on in your action form. For instance use a [script] instead. Assuming these are pages that only admin users have, that will allow them to input what they need without opening the public area of the site up to XSS attacks. --- Mary Jo ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271788 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: XSS - Cross Site Scripting
An old tried and true defense component is cfqueryparam. Search for xss and cross-site scripting and you should find a wealth of information going back years on the subject. I'm sure you're already aware of this, but as helpful as CFQUERYPARAM is, it will not do anything to prevent XSS exploits. The CF7 admin-level defense is, I have to say, not something I have any comfort level with. So far its gotten itself shut off for being too draconian. CMS users needing to input javascript into their web pages were denied and that was the end of that. Far from being too draconian, it's too lenient! It basically just looks for four or five words commonly used in XSS attacks, and strips them from input. That is not sufficient for any meaningful protection. And, if you're going to allow users to provide arbitrary JavaScript, there is nothing you can do with your inputs to prevent XSS exploits. You can only control what you display, in that case - and if you're letting people enter JavaScript intentionally, you are almost certainly letting people view content with said JavaScript. Unless you're vetting every JavaScript call to ensure its safety, your system is totally open to XSS exploits. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271789 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Mary Jo Sminkey [EMAIL PROTECTED] wrote: For XSS? How does that do anything? It will prevent SQL injection, but that's a totally different attack. memo to me. pay attention -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271790 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: XSS - Cross Site Scripting
Explain successfully to the client why they can't do the work they want, and they shouldn't want it, and you can tut all you like. I'll even let a 'harumph' slide :D That is part of your job as a developer, unfortunately. If you make them aware of the (very serious) risks resulting from their choices, and they choose to do so anyway, you should make sure that they indemnify you from any unfortunate results. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271791 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Dave Watts [EMAIL PROTECTED] wrote: And, if you're going to allow users to provide arbitrary JavaScript, Its what the client demanded and based on their needs it was a justifiable request. By 'draconian' I meant that the protection is applied to all form inputs, regardless of user authentication or anything else you as a developer want to throw into the mix. Throwing a complete blanket over everything without regard to allowing individual exceptions is where I have a problem. By all means protect yourself from XSS, but I disagree with a system that doesn't allow you to bypass the rules as a developer if there's a good reason to do so. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271792 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
Surely there can be no real justification for them to do JS which you do not provide as a developer? This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matt Robertson To: CF-Talk Sent: Tue Mar 06 22:45:44 2007 Subject: Re: XSS - Cross Site Scripting On 3/6/07, Dave Watts [EMAIL PROTECTED] wrote: And, if you're going to allow users to provide arbitrary JavaScript, Its what the client demanded and based on their needs it was a justifiable request. By 'draconian' I meant that the protection is applied to all form inputs, regardless of user authentication or anything else you as a developer want to throw into the mix. Throwing a complete blanket over everything without regard to allowing individual exceptions is where I have a problem. By all means protect yourself from XSS, but I disagree with a system that doesn't allow you to bypass the rules as a developer if there's a good reason to do so. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271794 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
memo to me. pay attention LOL...of course I *never* make the mistake of answering the wrong question. ;-) --- Mary Jo ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271795 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Dave Watts [EMAIL PROTECTED] wrote: That is part of your job as a developer, It is my job to make them aware of the risks. Not to tell them what their job should and should not be. In this case the job was to input javascript into a web page that was a part of their existing CMS. The only way to get that job done was to shut off CF's scriptProtect. Sure. Inputting js into a web page is inherently dangerous. So is driving an automobile. That doesn't mean you can't go out for a drive. Nor does it mean you should try to convince others that they should not drive. It does of course mean the driver should be trained, the automobile in good working order and the act of driving be undertaken safely. By following sensible rules an inherently dangerous and potentially deadly act can become an integral part of everyday life with an acceptable level of safety and comfort. The same goes for inputting js into a web page. Don't let just anybody do it. Don't auth people to do it without proper training and comfort level with the individual. Put safeguards in place for recovery. Control everything that isn't opened up for this input. Put in audit controls and so on and so on. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271796 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
Surely there can be no real justification for them to do JS which you do not provide as a developer? In a CMS there certainly may be. I've run into similar issues with CFWebstore where customers often want to input some kind of custom script in some pages (Bizrate popup during checkout for instance). The pseudo-tag method works fine in these cases though as a way to get around the scriptprotect limitations. It certainly would be nice if you could override the settings on a page-by-page basis though. I'd love to hear some more ideas on what people are doing other than relying on ScriptProtect. Not all of my users are even on CF7, even if it did do the trick. --- Mary Jo ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271797 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: XSS - Cross Site Scripting
It is my job to make them aware of the risks. Not to tell them what their job should and should not be. Perhaps you should reread your question, and my response. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271798 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
Isn't that the whole point of a CMS? It should negate the need for users to code This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Mary Jo Sminkey To: CF-Talk Sent: Tue Mar 06 21:56:07 2007 Subject: Re: XSS - Cross Site Scripting Surely there can be no real justification for them to do JS which you do not provide as a developer? In a CMS there certainly may be. I've run into similar issues with CFWebstore where customers often want to input some kind of custom script in some pages (Bizrate popup during checkout for instance). The pseudo-tag method works fine in these cases though as a way to get around the scriptprotect limitations. It certainly would be nice if you could override the settings on a page-by-page basis though. I'd love to hear some more ideas on what people are doing other than relying on ScriptProtect. Not all of my users are even on CF7, even if it did do the trick. --- Mary Jo ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271799 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Surely there can be no real justification for them to do JS which you do not provide as a developer? Well, the web page they are maintaining is kept inside of a cms, and the site owner's staff needs to input little bits of js into the web pages to provide telltales for exterior systems. They expect to do this entirely for themselves. The CMS is in place specifically to eliminate the developer from the job picture. If the words javascript weren't involved it would be mind-numbingly dreary, day-to-day work. Its not developer-level work. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271803 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
Then surely the CMS isn't doing it's job? They are coding when the CMS should be managing the work? I can see your stance but the fact they are now coding ad-hoc (and no doubt the JS will not be checked) they could wreak havoc either deliberate or otherwise. More to the point... Telltales? This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matt Robertson To: CF-Talk Sent: Tue Mar 06 23:46:20 2007 Subject: Re: XSS - Cross Site Scripting On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Surely there can be no real justification for them to do JS which you do not provide as a developer? Well, the web page they are maintaining is kept inside of a cms, and the site owner's staff needs to input little bits of js into the web pages to provide telltales for exterior systems. They expect to do this entirely for themselves. The CMS is in place specifically to eliminate the developer from the job picture. If the words javascript weren't involved it would be mind-numbingly dreary, day-to-day work. Its not developer-level work. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271804 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Isn't that the whole point of a CMS? It should negate the need for users to code I would answer that a lot of things should be in this world but reality doesn't always conform to the textbook definition. In the real world people want to use javascript inside some of their CMS systems. Mary Jo's example is an excellent one. Putting in a Google search box would be one I've been hit with personally. Telling the customer you can't do that because it violates the premise upon which the system is based is just not going to fly. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271806 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Then surely the CMS isn't doing it's job? They are coding when the CMS should be managing the work? ONLY if you rigidly define the CMS' job by your definition. What if the customer -- who owns the system, after all, and is paying you to achieve *their* desired results -- doesn't see it your way? I can see your stance but the fact they are now coding ad-hoc (and no doubt the JS will not be checked) they could wreak havoc either deliberate or otherwise. There is actually a team review feature that allows one or more designated individuals to sign off onthe proposed published work. Although I'll say right off that the client is self-approving the work. Yes the system could be abused. Just as the automobile could be rammed into a sidewalk crowded with people, generating horrific results. But you don't see automobiles banned for this reason. Yes the consequences could be bad. But just as its possible to find safe drivers, there are safe editorial users. Is it perfect? Of course not, but its an acceptable level of risk according to an informed decision on the part of the site owner. More to the point... Telltales? Some goofball Google-esque thing, I think, that tracks page placement or something. I don't know what the hell it is. They just screamed until I got the system to take it without them emailing me telling me it still doesn't work. And yes, I started the whole deal with you don't want to do that. They did. :-) -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271808 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Dave Watts [EMAIL PROTECTED] wrote: It is my job to make them aware of the risks. Not to tell them what their job should and should not be. Perhaps you should reread your question, and my response. Well, here's what I am keying on. I originally said Explain successfully to the client why they ***can't*** do the work they want, and they shouldn't want it, and you can tut all you like. ***emphasis added*** by me. I took this as your direct response: That is part of your job as a developer, unfortunately. I was keying on your response as it pertains to the first part of my statement, not the second. The can't part should never enter into the conversation unless it really can't be done. I do agree its my job to warn people that they want something crazy. If my clients (in particular the one that wanted the javascript hole to be opened up) could see this and see me coming across as the guy who wants to let people happily run barefoot through the data stream they would be howling. I don't go gently or quietly into the night on this stuff with the end user. But sometimes it really does make sense. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271809 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
Couldn't you provide the functionality of adding a google search box in the CMS. That way you control how it is added /displayed etc? This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matt Robertson To: CF-Talk Sent: Tue Mar 06 23:59:38 2007 Subject: Re: XSS - Cross Site Scripting On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Isn't that the whole point of a CMS? It should negate the need for users to code I would answer that a lot of things should be in this world but reality doesn't always conform to the textbook definition. In the real world people want to use javascript inside some of their CMS systems. Mary Jo's example is an excellent one. Putting in a Google search box would be one I've been hit with personally. Telling the customer you can't do that because it violates the premise upon which the system is based is just not going to fly. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271838 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4