date:20080721

RE: [ACFUG Discuss] CFForms or Flex?

2008-07-21 Thread Clarke Bishop

Thanks for the good advice Doug and Buddy!

Flex seemed too heavy for what I was doing, so I decided to try out the
CF8/Ajax stuff. There's still a learning curve as I had to know something
about the underlying JavaScript framework.

Fortunately, I found a good article on devnet that really helped me get
going:

http://www.adobe.com/devnet/coldfusion/articles/user_mgr.html 

I really wish Adobe would make Flash forms what they could be. You know,
embed Flex 3 into CF instead of Flex 1.5 and then have CFForm create MXML.
Or, even better, just let you stick some MXML directly into CF. For when you
just want just a little Flex or want a little help getting going with Flex,
it seems like this would be good. Oh, well!

   Clarke

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen
Sent: Thursday, July 17, 2008 4:08 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] CFForms or Flex?

I don't know Clarke.  But I tell you what I do know.  Buddy is out of the
office at the moment, perhaps when he is back he can help out, eh?

heh.  Ok, I might be a wee bit jaded here, but go with the Flex Luke!
But if your app is largely HTML, might be good to use Ajax based stuffs to
keep things sort of uniform for the user.  The new stuff in
CF8 is pretty sweet and of course there is the standard SPRY stuff too.
Charlie's web site has some good Spry info.

I'd run fast, very fast from flash based cfgrid and that Flex 1.5 junk.  I
mean yeah, you could hack around in it and actually have the full Flex 1.5
SDK available, but its a PITA and feels icky.

DK

On Thu, Jul 17, 2008 at 3:37 PM, Clarke Bishop <[EMAIL PROTECTED]>
wrote:
> What's the latest thinking on CFForms?
>
> I am doing as straightforward master/detail admin form. And, I thought 
> cfgrid might be a good way to do the master part.
>
> But, I need to be able to apply a switch to filter what the cfgrid 
> shows, and I'm having trouble seeing how to update the cfgrid's 
> dataprovider and get data between CF and Flash.
>
> So, I'm wondering if I shouldn't just do this in Flex. CFForms are 
> actually Flex 1.5, and I've heard Adobe may be lukewarm on making 
> improvements. I like having all my code together as CF provides, and 
> Flex seems more complex. But, of course, Flex is also a lot more powerful.
>
> Thanks for any ideas!
>
>   Clarke
>
>
>
>
>
> -
> To unsubscribe from this list, manage your profile @ 
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists Archive @ 
> http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
>
>
>
>

--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?

-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

[ACFUG Discuss] Securing CFCs

2008-07-21 Thread Clarke Bishop

I have one remaining problem to solve in my adventure with CF/Ajax. The CFCs
have to have access="remote".

But, this means anyone can access the methods. What I built is a
master/detail, CRUD thing for administering users. So, I obviously don't
want some unauthorized person deleting my users or adding new ones.

Normally, I've used access="public" before which wouldn't let an outside
user get to the methods. But, what's the best way to give access to my valid
CFM pages with Ajax and prevent access by bad guys?

Thanks for any ideas!

Clarke 





-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Dean H. Saxe

All access must be authorized.  Only expose those methods required by  
the external system.


Your CFC methods are performing authorization already, aren't  
they? ;-)  If not, now is a great time to add appropriate  
authorization controls to your system before exposing such APIs.


-dhs

Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What difference does it make to the dead,  the orphans, and the  
homeless, whether the  mad destruction is wrought under the name of  
totalitarianism or the holy name of  liberty and democracy? "

--Gandhi



On Jul 21, 2008, at 10:46 AM, Clarke Bishop wrote:

I have one remaining problem to solve in my adventure with CF/Ajax.  
The CFCs

have to have access="remote".

But, this means anyone can access the methods. What I built is a
master/detail, CRUD thing for administering users. So, I obviously  
don't

want some unauthorized person deleting my users or adding new ones.

Normally, I've used access="public" before which wouldn't let an  
outside
user get to the methods. But, what's the best way to give access to  
my valid

CFM pages with Ajax and prevent access by bad guys?

Thanks for any ideas!

   Clarke





-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-







-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Cameron Childress

This is actually one of the biggest security problems on the internet
right now, unprotected web services, remoting services, AJAX services.
 You can actually solve this a number of different ways. You might
check out the "Securing Web Services" section in the docs first:

http://livedocs.adobe.com/coldfusion/8/htmldocs/webservices_22.html

There is also a link on that page to "Securing Applications":
http://livedocs.adobe.com/coldfusion/8/htmldocs/appSecurity_01.html

Lastly, I would say that it's good to remember that any sessions you
create on a CFM page should also be accessible in your CFCs, as long
as they share a common Application.cfc file.  This is a great way to
enforce a common security model across CFM and CFC code...

-Cameron

On Mon, Jul 21, 2008 at 10:46 AM, Clarke Bishop
<[EMAIL PROTECTED]> wrote:
> I have one remaining problem to solve in my adventure with CF/Ajax. The CFCs
> have to have access="remote".
>
> But, this means anyone can access the methods. What I built is a
> master/detail, CRUD thing for administering users. So, I obviously don't
> want some unauthorized person deleting my users or adding new ones.
>
> Normally, I've used access="public" before which wouldn't let an outside
> user get to the methods. But, what's the best way to give access to my valid
> CFM pages with Ajax and prevent access by bad guys?
>
> Thanks for any ideas!
>
>Clarke
>
>
>
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
>
>
>
>



-- 
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]


-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Mischa Uppelschoten ext 10

That is a really good question and I'm curious about the input from the group. 
Maybe use permissions on a webserver/file level? All legit requests would be 
coming from localhost/127.0.0.1/server's IP address, right?
/m


 But, what's the best way to give access to my valid
: CFM pages with Ajax and prevent access by bad guys?

: Thanks for any ideas!

: Clarke 





: -
: To unsubscribe from this list, manage your profile @ 
: http://www.acfug.org?fa=login.edituserform

: For more info, see http://www.acfug.org/mailinglists
: Archive @ http://www.mail-archive.com/discussion%40acfug.org/
: List hosted by http://www.fusionlink.com
: -









Mischa Uppelschoten
The Banker's Exchange, LLC.
4200 Highlands Parkway SE
Suite A
Smyrna, GA 30082-5198

Phone:(404) 605-0100 ext. 10
Fax:(404) 355-7930
Web:www.BankersX.com
Follow this link for Instant Web Chat:
http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN
-- Original Message --

FROM:  "Clarke Bishop" <[EMAIL PROTECTED]>
TO:
DATE:  Mon, 21 Jul 2008 10:46:09 -0400

SUBJECT:   [ACFUG Discuss] Securing CFCs

I have one remaining problem to solve in my adventure with CF/Ajax. The CFCs
have to have access="remote".

But, this means anyone can access the methods. What I built is a
master/detail, CRUD thing for administering users. So, I obviously don't
want some unauthorized person deleting my users or adding new ones.

Normally, I've used access="public" before which wouldn't let an outside
user get to the methods. But, what's the best way to give access to my valid
CFM pages with Ajax and prevent access by bad guys?

Thanks for any ideas!

   Clarke 





-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-



-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Howard Fore

Wouldn't AJAX requests be coming from the user's web browser IP?

On Mon, Jul 21, 2008 at 10:52 AM, Mischa Uppelschoten ext 10 <
[EMAIL PROTECTED]> wrote:

> That is a really good question and I'm curious about the input from the
> group. Maybe use permissions on a webserver/file level? All legit requests
> would be coming from 
> localhost/127.0.0.1/server'sIP address, right?
> /m
>
>
>  But, what's the best way to give access to my valid
> : CFM pages with Ajax and prevent access by bad guys?
>
> : Thanks for any ideas!
>
> : Clarke
>
>
>
>
>
> : -
> : To unsubscribe from this list, manage your profile @
> : http://www.acfug.org?fa=login.edituserform
>
> : For more info, see http://www.acfug.org/mailinglists
> : Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> : List hosted by http://www.fusionlink.com
> : -
>
>
>
>
>
>
>
>
>
> Mischa Uppelschoten
> The Banker's Exchange, LLC.
> 4200 Highlands Parkway SE
> Suite A
> Smyrna, GA 30082-5198
>
> Phone:(404) 605-0100 ext. 10
> Fax:(404) 355-7930
> Web:www.BankersX.com
> Follow this link for Instant Web Chat:
> http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN
> -- Original Message --
>
> FROM:  "Clarke Bishop" <[EMAIL PROTECTED]>
> TO:
> DATE:  Mon, 21 Jul 2008 10:46:09 -0400
>
> SUBJECT:   [ACFUG Discuss] Securing CFCs
>
> I have one remaining problem to solve in my adventure with CF/Ajax. The
> CFCs
> have to have access="remote".
>
> But, this means anyone can access the methods. What I built is a
> master/detail, CRUD thing for administering users. So, I obviously don't
> want some unauthorized person deleting my users or adding new ones.
>
> Normally, I've used access="public" before which wouldn't let an outside
> user get to the methods. But, what's the best way to give access to my
> valid
> CFM pages with Ajax and prevent access by bad guys?
>
> Thanks for any ideas!
>
>   Clarke
>
>
>
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
>
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?falogin.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
>
>
>
>


-- 
Howard Fore, [EMAIL PROTECTED]
"The universe tends toward maximum irony. Don't push it." - Jeff Atwood



-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Cameron Childress

On Mon, Jul 21, 2008 at 10:52 AM, Mischa Uppelschoten ext 10
<[EMAIL PROTECTED]> wrote:
> That is a really good question and I'm curious about the input from the group.
> Maybe use permissions on a webserver/file level? All legit requests would
> be coming from localhost/127.0.0.1/server's IP address, right?

Actually, with AJAX, the requests would be from the browser.

You need to remember that access to the CFC files themselves isn't
bad.  The key is restricting access tot he functions inside them using
a security framework.  Just like CFM files are accessible on the open
internet and secured using CF code inside them, CFCs are no different.

-Cameron

-- 
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]

-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

re[2]: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Mischa Uppelschoten ext 10




Duh! I meant to write
 local subnet.
 
: Wouldnt AJAX requests
 be coming from the users web browser IP?:
 On Mon, Jul 21, 2008 at 10:52 AM, Mischa
 Uppelschoten ext 10:  <[EMAIL PROTECTED]>
 wrote::  That is a really good question
 and Im curious about the input from the group.:
  Maybe use permissions on a webserver/file
 level? All legit requests would be:  coming
 from localhost/127.0.0.1/servers IP address,
 right?:  /m:  :
  :   But, whats the best
 way to give access to my valid:  :
 CFM pages with Ajax and prevent access by
 bad guys?:  :  : Thanks
 for any ideas!:  :  : Clarke:
  :  :  :  :
  :  : -:
  : To unsubscribe from this list, manage
 your profile @:  : http://www.acfug.org?fa=login.edituserform:
  :  : For more info, see http://www.acfug.org/mailinglists:
  : Archive @ http://www.mail-archive.com/discussion%40acfug.org/:
  : List hosted by http://www.fusionlink.com:
  : -:
  :  :  :  :
  :  :  :  :
  :  Mischa Uppelschoten:
  The Bankers Exchange, LLC.:  4200
 Highlands Parkway SE:  Suite A:
  Smyrna, GA 30082-5198:  :
  Phone:    (404) 605-0100
 ext. 10:  Fax:    (404)
 355-7930:  Web:    www.BankersX.com:
  Follow this link for Instant Web Chat::
  http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN:
  : -- Original Message --:
  :  FROM:  "Clarke
 Bishop" <[EMAIL PROTECTED]>:
  TO:    :
  DATE:  Mon,
 21 Jul 2008 10:46:09 -0400:  :
  SUBJECT:   [ACFUG Discuss]
 Securing CFCs:  :  I have
 one remaining problem to solve in my adventure
 with CF/Ajax. The CFCs:  have to
 have access="remote".:  :  But,
 this means anyone can access the methods.
 What I built is a:  master/detail,
 CRUD thing for administering users. So, I
 obviously dont:  want some unauthorized
 person deleting my users or adding new ones.:
  :  Normally, Ive used access="public"
 before which wouldnt let an outside:
  user get to the methods. But, whats
 the best way to give access to my valid:
  CFM pages with Ajax and prevent access
 by bad guys?:  :  Thanks
 for any ideas!:  :   Clarke:
  :  :  :  :
  :  -:
  To unsubscribe from this list, manage
 your profile @:  http://www.acfug.org?fa=login.edituserform:
  :  For more info, see http://www.acfug.org/mailinglists:
  Archive @ http://www.mail-archive.com/discussion%40acfug.org/:
  List hosted by http://www.fusionlink.com:
  -:
  :  :  :  -:
  To unsubscribe from this list, manage
 your profile @:  http://www.acfug.org?falogin.edituserform:
  :  For more info,
 see http://www.acfug.org/mailinglists:
  Archive @ http://www.mail-archive.com/discussion%40acfug.org/:
  List hosted by http://www.fusionlink.com:
  -:
  :  :  :  :
 -- : Howard Fore, [EMAIL PROTECTED]:
 "The universe tends toward maximum irony.
 Dont push it." - Jeff Atwood : -
 : To unsubscribe from this list, manage
 your profile @  : http://www.acfug.org?fa=login.edituserform
 :  : For more info, see http://www.acfug.org/mailinglists
 : Archive @ http://www.mail-archive.com/discussion%40acfug.org/
 : List hosted by FusionLink : -Mischa
 UppelschotenThe Banker's Exchange, LLC.4200
 Highlands Parkway SESuite ASmyrna,
 GA 30082-5198Phone:(404)
 605-0100 ext. 10Fax:(404)
 355-7930Web:www.BankersX.comFollow
 this link for Instant Web Chat:http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN

--- Original
 Message ---
  
From: "Howard Fore" <[EMAIL PROTECTED]>
To: discussion@acfug.org
Date: Mon, 21 Jul 2008 11:23:31
 -0400
Subject: Re: [ACFUG Discuss]
 Securing CFCs
  
Wouldn't AJAX requests be coming
 from the user's web browser IP?
On Mon, Jul 21, 2008
 at 10:52 AM, Mischa Uppelschoten ext 10 <[EMAIL PROTECTED]>
 wrote:
That is a really
 good question and I'm curious about the input
 from the group. Maybe use permissions on
 a webserver/file level? All legit requests
 would be coming from localhost/127.0.0.1/server's IP address,
 right?/m
 But, what's
 the best way to give access to my valid:
 CFM pages with Ajax and prevent access by
 bad guys?: Thanks for any ideas!:
     Clarke:
 -:
 To unsubscribe from this list, manage your
 profile @: http://www.acfug.org?fa=login.edituserform:
 For more info, see http://www.acfug.org/mailinglists:
 Archive @ http://www.mail-archive.com/discussion%40acfug.org/:
 List hosted by http://www.fusionlink.com:
 -Mischa
 UppelschotenThe Banker's Exchange, LLC.4200
 Highlands Parkway SESui

Re: re[2]: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Cameron Childress

On Mon, Jul 21, 2008 at 11:39 AM, Mischa Uppelschoten ext 10
<[EMAIL PROTECTED]> wrote:
> Duh! I meant to write local subnet.

Even if it were an intranet app and you restricted to local subnet
(access), you still aren't controlling authentication/authorization
(who's allowed in and to do what).

-Cameron

-- 
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]


-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

[ACFUG Discuss] Re: SQL injection in the recent news again

2008-07-21 Thread Douglas Knudsen

>
> http://www.cfwhisperer.com/post.cfm/urgent-sql-injection-attack-vulnerability
>
> DK
>  --
> Douglas Knudsen
> http://www.cubicleman.com
> this is my signature, like it?
>



-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Re: SQL injection in the recent news again

2008-07-21 Thread Dean H. Saxe

Funny that this came about 6 weeks ago and prompted MS and HP  
(SPIDynamics) to release some tools... and now its coming out again in  
the CF blogosphere.


-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What difference does it make to the dead,  the orphans, and the  
homeless, whether the  mad destruction is wrought under the name of  
totalitarianism or the holy name of  liberty and democracy? "

--Gandhi



On Jul 21, 2008, at 1:46 PM, Douglas Knudsen wrote:


http://www.cfwhisperer.com/post.cfm/urgent-sql-injection-attack-vulnerability

DK
--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?

-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-




-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] Re: SQL injection in the recent news again

2008-07-21 Thread John Mason

Cfqueryparam or cfstoredproc will naturally prevent this, but you should
also be logging these attack attempts to monitor the activity. Portcullis
(portcullis.riaforge.org), a cfc filter, can do this. An even better option
is to implement a web application firewall. 

John Mason
[EMAIL PROTECTED]
770.337.8363

www.FusionLink.com - ColdFusion and Flex hosting
Now offering VPS Plans running with VMware technology
Now offering ColdFusion 8 Enterprise hosting
FREE Subversion hosting


 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen
Sent: Monday, July 21, 2008 1:46 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] Re: SQL injection in the recent news again



http://www.cfwhisperer.com/post.cfm/urgent-sql-injection-attack-vulnerabilit
y
 
DK 
-- 
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it? 


- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 



-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Re: SQL injection in the recent news again

2008-07-21 Thread Dean H. Saxe

cfstoredproc will *not* prevent SQL injection.  Stored procs are not  
magically immune, they too may be subject to SQL injection in the SP  
code itself.  So the problem has moved from CF to the DB itself.  Make  
sure you write your stored procs with protection from SQLi, as well.


-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson



On Jul 21, 2008, at 2:37 PM, John Mason wrote:

Cfqueryparam or cfstoredproc will naturally prevent this, but you  
should also be logging these attack attempts to monitor the  
activity. Portcullis (portcullis.riaforge.org), a cfc filter, can do  
this. An even better option is to implement a web application  
firewall.

John Mason
[EMAIL PROTECTED]
770.337.8363

www.FusionLink.com - ColdFusion and Flex hosting
Now offering VPS Plans running with VMware technology
Now offering ColdFusion 8 Enterprise hosting
FREE Subversion hosting



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas  
Knudsen

Sent: Monday, July 21, 2008 1:46 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] Re: SQL injection in the recent news again

http://www.cfwhisperer.com/post.cfm/urgent-sql-injection-attack-vulnerability

DK
--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?

-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-

-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-




-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] Re: SQL injection in the recent news again

2008-07-21 Thread John Mason

True...there again it depends on how you write the storedproc. I stand
corrected :)

John Mason
[EMAIL PROTECTED]
770.337.8363
 
www.FusionLink.com - ColdFusion and Flex hosting
Now offering VPS Plans running with VMware technology
Now offering ColdFusion 8 Enterprise hosting
FREE Subversion hosting

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Monday, July 21, 2008 2:43 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Re: SQL injection in the recent news again

cfstoredproc will *not* prevent SQL injection.  Stored procs are not
magically immune, they too may be subject to SQL injection in the SP code
itself.  So the problem has moved from CF to the DB itself.  Make sure you
write your stored procs with protection from SQLi, as well.

-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
 --Thomas Jefferson



On Jul 21, 2008, at 2:37 PM, John Mason wrote:

> Cfqueryparam or cfstoredproc will naturally prevent this, but you 
> should also be logging these attack attempts to monitor the activity. 
> Portcullis (portcullis.riaforge.org), a cfc filter, can do this. An 
> even better option is to implement a web application firewall.
> John Mason
> [EMAIL PROTECTED]
> 770.337.8363
>
> www.FusionLink.com - ColdFusion and Flex hosting Now offering VPS 
> Plans running with VMware technology Now offering ColdFusion 8 
> Enterprise hosting FREE Subversion hosting
>
>
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas 
> Knudsen
> Sent: Monday, July 21, 2008 1:46 PM
> To: discussion@acfug.org
> Subject: [ACFUG Discuss] Re: SQL injection in the recent news again
>
> http://www.cfwhisperer.com/post.cfm/urgent-sql-injection-attack-vulner
> ability
>
> DK
> --
> Douglas Knudsen
> http://www.cubicleman.com
> this is my signature, like it?
>
> -
> To unsubscribe from this list, manage your profile @ 
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists Archive @ 
> http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by FusionLink
> -
>
> -
> To unsubscribe from this list, manage your profile @ 
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists Archive @ 
> http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by FusionLink
> -



-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-





-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Re: SQL injection in the recent news again

2008-07-21 Thread Dean H. Saxe

Its a pretty fine point, to be sure, but important to note.  I have  
seen many people who claim to be immune to SQLi due to the use of  
stored procs wind up regretting their bravado when tested.

-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Great spirits have often encountered violent opposition from weak  
minds."

--Einstein


On Jul 21, 2008, at 2:51 PM, John Mason wrote:


True...there again it depends on how you write the storedproc. I stand
corrected :)

John Mason
[EMAIL PROTECTED]
770.337.8363

www.FusionLink.com - ColdFusion and Flex hosting
Now offering VPS Plans running with VMware technology
Now offering ColdFusion 8 Enterprise hosting
FREE Subversion hosting

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.  
Saxe

Sent: Monday, July 21, 2008 2:43 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Re: SQL injection in the recent news  
again


cfstoredproc will *not* prevent SQL injection.  Stored procs are not
magically immune, they too may be subject to SQL injection in the SP  
code
itself.  So the problem has moved from CF to the DB itself.  Make  
sure you

write your stored procs with protection from SQLi, as well.

-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson



On Jul 21, 2008, at 2:37 PM, John Mason wrote:


Cfqueryparam or cfstoredproc will naturally prevent this, but you
should also be logging these attack attempts to monitor the activity.
Portcullis (portcullis.riaforge.org), a cfc filter, can do this. An
even better option is to implement a web application firewall.
John Mason
[EMAIL PROTECTED]
770.337.8363

www.FusionLink.com - ColdFusion and Flex hosting Now offering VPS
Plans running with VMware technology Now offering ColdFusion 8
Enterprise hosting FREE Subversion hosting



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas
Knudsen
Sent: Monday, July 21, 2008 1:46 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] Re: SQL injection in the recent news again

http://www.cfwhisperer.com/post.cfm/urgent-sql-injection-attack- 
vulner

ability

DK
--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?

-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-

-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-




-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-





-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-







-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Clarke Bishop

Thanks all for your suggestions!

Cameron, you mentioned sessions will be available in both your CFM pages and
CFCs as long as they share a common Application.cfc file. So, you'd put the
CFC in the same directory as the CFM?

And, if I did that, the request for the CFC would still cause an
onRequestStart event in Application.cfc? Right now, my onRequestStart
function checks to see if the user is logged in and has the correct
permissions. If not, they get redirected to a login page. So, this would
work with a CFC call too?

I'm also wondering what happens when the session expires. The user opens the
page then goes to lunch. They come back and try to edit or delete a user,
but the session has expired. I guess I could set a really short session
timeout to see what happens. But, is there a better way to test something
like this?

Thanks again to everyone for your help!

   Clarke

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cameron
Childress
Sent: Monday, July 21, 2008 11:01 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Securing CFCs

This is actually one of the biggest security problems on the internet right
now, unprotected web services, remoting services, AJAX services.
 You can actually solve this a number of different ways. You might check out
the "Securing Web Services" section in the docs first:

http://livedocs.adobe.com/coldfusion/8/htmldocs/webservices_22.html

There is also a link on that page to "Securing Applications":
http://livedocs.adobe.com/coldfusion/8/htmldocs/appSecurity_01.html

Lastly, I would say that it's good to remember that any sessions you create
on a CFM page should also be accessible in your CFCs, as long as they share
a common Application.cfc file.  This is a great way to enforce a common
security model across CFM and CFC code...

-Cameron

On Mon, Jul 21, 2008 at 10:46 AM, Clarke Bishop <[EMAIL PROTECTED]>
wrote:
> I have one remaining problem to solve in my adventure with CF/Ajax. 
> The CFCs have to have access="remote".
>
> But, this means anyone can access the methods. What I built is a 
> master/detail, CRUD thing for administering users. So, I obviously 
> don't want some unauthorized person deleting my users or adding new ones.
>
> Normally, I've used access="public" before which wouldn't let an 
> outside user get to the methods. But, what's the best way to give 
> access to my valid CFM pages with Ajax and prevent access by bad guys?
>
> Thanks for any ideas!
>
>Clarke
>
>
>
>
>
> -
> To unsubscribe from this list, manage your profile @ 
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists Archive @ 
> http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
>
>
>
>

--
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]

-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Dean H. Saxe


Clarke,

Sounds like you have a partially complete authorization model.  What  
you might be missing is authorization to individual data elements.  So  
when the user attempts to edit a user, does the system verify that he  
not only has permission to edit a user, but permission to edit *this  
specific* user?  The same is true for deletions.  This attack pattern  
is commonly called horizontal privilege escalation and it is an area  
where few apps make good authorization decisions.  So you'll  
definitely want to check it out.


-dhs


Dean H. Saxe, CISSP,  CEH
[EMAIL PROTECTED]
"[T]he people can always be brought to the bidding of the leaders.  
This is easy. All you have to do is to tell them they are being  
attacked, and denounce the pacifists for lack of patriotism and  
exposing the country to danger. It works the same in every country."

--Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials



On Jul 21, 2008, at 4:06 PM, Clarke Bishop wrote:


Thanks all for your suggestions!

Cameron, you mentioned sessions will be available in both your CFM  
pages and
CFCs as long as they share a common Application.cfc file. So, you'd  
put the

CFC in the same directory as the CFM?

And, if I did that, the request for the CFC would still cause an
onRequestStart event in Application.cfc? Right now, my onRequestStart
function checks to see if the user is logged in and has the correct
permissions. If not, they get redirected to a login page. So, this  
would

work with a CFC call too?

I'm also wondering what happens when the session expires. The user  
opens the
page then goes to lunch. They come back and try to edit or delete a  
user,
but the session has expired. I guess I could set a really short  
session
timeout to see what happens. But, is there a better way to test  
something

like this?

Thanks again to everyone for your help!

  Clarke

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cameron
Childress
Sent: Monday, July 21, 2008 11:01 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Securing CFCs

This is actually one of the biggest security problems on the  
internet right

now, unprotected web services, remoting services, AJAX services.
You can actually solve this a number of different ways. You might  
check out

the "Securing Web Services" section in the docs first:

http://livedocs.adobe.com/coldfusion/8/htmldocs/webservices_22.html

There is also a link on that page to "Securing Applications":
http://livedocs.adobe.com/coldfusion/8/htmldocs/appSecurity_01.html

Lastly, I would say that it's good to remember that any sessions you  
create
on a CFM page should also be accessible in your CFCs, as long as  
they share
a common Application.cfc file.  This is a great way to enforce a  
common

security model across CFM and CFC code...

-Cameron

On Mon, Jul 21, 2008 at 10:46 AM, Clarke Bishop <[EMAIL PROTECTED] 
>

wrote:

I have one remaining problem to solve in my adventure with CF/Ajax.
The CFCs have to have access="remote".

But, this means anyone can access the methods. What I built is a
master/detail, CRUD thing for administering users. So, I obviously
don't want some unauthorized person deleting my users or adding new  
ones.


Normally, I've used access="public" before which wouldn't let an
outside user get to the methods. But, what's the best way to give
access to my valid CFM pages with Ajax and prevent access by bad  
guys?


Thanks for any ideas!

  Clarke





-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-








--
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]


-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-








-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-







-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailingl

Re: [ACFUG Discuss] Securing CFCs

2008-07-21 Thread Cameron Childress

On Mon, Jul 21, 2008 at 4:06 PM, Clarke Bishop <[EMAIL PROTECTED]> wrote:
> Cameron, you mentioned sessions will be available in both your CFM pages and
> CFCs as long as they share a common Application.cfc file. So, you'd put the
> CFC in the same directory as the CFM?

Actually, I usually do something like this:

/myApp - root application dir (put Application.cfc here)
/myApp/components  - dir for CFCs
/myApp/wwwroot- dir for CFMs (this is the webroot in (IIS/apache/etc)

> And, if I did that, the request for the CFC would still cause an
> onRequestStart event in Application.cfc? Right now, my onRequestStart
> function checks to see if the user is logged in and has the correct
> permissions. If not, they get redirected to a login page. So, this would
> work with a CFC call too?

Usually I would just access the session from incide the CFCs directly.
 You don't have to put anything in the Application.cfc for your CFCs
to be secure, you just need it to be there so you can access session
data inside your CFC files.

You could secure your CFCs in a number of ways, including calling a
security CFC from within each CFC function to determine permissions.
In your case would probably create a "security CFC" that handles
logins, authentication, and access controls.  You can then instantiate
this CFC from inside any CFM or CFC and ask it about permissions.

There are other ways to skin this problem too, that's just one...

> I'm also wondering what happens when the session expires. The user opens the
> page then goes to lunch. They come back and try to edit or delete a user,
> but the session has expired. I guess I could set a really short session
> timeout to see what happens. But, is there a better way to test something
> like this?

Well, if they try to make a AJAX call and the CFC says "no way" you
should handle that response and send the user to the login screen,
just like any CFM template would do, only you would be using AJAX
instead.

-Cameron

-- 
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]

-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] CFForms or Flex?

[ACFUG Discuss] Securing CFCs

Re: [ACFUG Discuss] Securing CFCs

Re: [ACFUG Discuss] Securing CFCs

re: [ACFUG Discuss] Securing CFCs

Re: [ACFUG Discuss] Securing CFCs

Re: [ACFUG Discuss] Securing CFCs

re[2]: [ACFUG Discuss] Securing CFCs

Re: re[2]: [ACFUG Discuss] Securing CFCs

[ACFUG Discuss] Re: SQL injection in the recent news again

Re: [ACFUG Discuss] Re: SQL injection in the recent news again

RE: [ACFUG Discuss] Re: SQL injection in the recent news again

Re: [ACFUG Discuss] Re: SQL injection in the recent news again

RE: [ACFUG Discuss] Re: SQL injection in the recent news again

Re: [ACFUG Discuss] Re: SQL injection in the recent news again

RE: [ACFUG Discuss] Securing CFCs

Re: [ACFUG Discuss] Securing CFCs

Re: [ACFUG Discuss] Securing CFCs

18 matches

Site Navigation

Mail list logo

Footer information