Date: Mon, 13 Aug 2001 22:29:13 +0200
From: Jochem van Dieten [EMAIL PROTECTED]
Subject: Re: Hacking CF Web Sites and Applications
Why a filter looking for words in a URL?
To help prevent hack attempts. In some situations, changing the values in a
certain locations can create huge security
Paris Lundis wrote:
Awesome reference John.. thanks so much... Off to test it a bit tonight
with our system... Yeah even on the Access databases for fun :)
It works without improving speed. But of course the original purpose of
this thread was increased security and it will do just that.
queries?
Robert Everland III
Dixon Ticonderoga
Web Developer Extraordinaire
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 11:16 PM
To: CF-Talk
Subject: RE: Hacking CF Web Sites and Applications
Interested in hearing more about
So in order to get this performance boost we wouldn't be able
to use CF if's in the statement? I have one query which I made
that has something like this
If this
where something = #something#
end if
So am I correct in assuming cfqueryparam would have no
benefit for me unless I made
PROTECTED] (Chairman)
Http://www.cfug.ie The Irish Cold Fusion User Group
- Original Message -
From: Michael Dinowitz [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Monday, August 13, 2001 5:22 AM
Subject: Re: Hacking CF Web Sites and Applications
Your welcome. :)
A book I found
] Characters found after end of SQL
statement.
---
Thanks.
Dave
-Original Message-
From: Don Vawter [mailto:[EMAIL PROTECTED]]
Sent: Sunday, August 12, 2001 11:01 AM
To: CF-Talk
Subject: Re: Hacking CF Web Sites and Applications
I have a page on preventing url hacks which
:02 AM
Subject: RE: Hacking CF Web Sites and Applications
Using the url 'xxx.cfm?show=23;%20DROP%20TABLE%20MyStuff'
I attempted to drop my table and it failed. Why didn't it drop the table?
Either I've done something to prevent it that I'm unaware of or I used
invalid
syntax
SELECT myitem, myphoto
FROM mystuff
WHERE Show=#URL.Show#
-Original Message-
From: Don Vawter [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 9:12 AM
To: CF-Talk
Subject: Re: Hacking CF Web Sites and Applications
Let us see the query where you used the url.show parameter
-Talk
Subject: RE: Hacking CF Web Sites and Applications
Using the url 'xxx.cfm?show=23;%20DROP%20TABLE%20MyStuff'
I attempted to drop my table and it failed. Why didn't it drop the table?
Either I've done something to prevent it that I'm unaware of or I used
invalid
syntax
I might be wrong, but I don't think you can issue multiple SQL commands to Access in
this way.
-Andy
-Original Message-
From: Bosky, Dave [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 9:25 AM
To: CF-Talk
Subject: RE: Hacking CF Web Sites and Applications
SELECT
That's what I was thinking.
~Dave
-Original Message-
From: Andrew Tyrone [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 9:34 AM
To: CF-Talk
Subject: RE: Hacking CF Web Sites and Applications
I might be wrong, but I don't think you can issue multiple SQL commands to
Access
and Applications
That's what I was thinking.
~Dave
-Original Message-
From: Andrew Tyrone [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 9:34 AM
To: CF-Talk
Subject: RE: Hacking CF Web Sites and Applications
I might be wrong, but I don't think you can issue multiple SQL commands to
Access
Adam Reynolds wrote:
We've tried this with Oracle as well, and it does not work. This would
leave a major hole in a lot of apps if this did work.
Only in bad applications. And according to the docs on the Allaire
website it does work for quitesome applications.
Jochem
of my cf_antihack script.
Josh - [EMAIL PROTECTED]
cf-codes - http://www.rubak.com/cf-codes.cfm
--
Date: Sun, 12 Aug 2001 16:38:36 -0600
From: Don Vawter [EMAIL PROTECTED]
Subject: Re: Hacking CF Web
Josh R wrote:
This may be simple minded, but you don't need to know every word they use. A
filter that elaborate would make a site practically useless. However, most
(actually all) hacks must contain a specific syntax to initiate the security
hole. For example, the URL attacks on you
people, places and things]
-Original Message-
From: Jochem van Dieten [EMAIL PROTECTED]
Date: Mon, 13 Aug 2001 22:29:13 +0200
Subject: Re: Hacking CF Web Sites and Applications
Josh R wrote:
This may be simple minded, but you don't need to know every word
they use. A
filter
Interested in hearing more about the cfqueryparam tag... 4.5 version
addition I suspect?
I think it was introduced in CF 4.0.1, but I'm not sure - it may have been
introduced in CF 4.5.x. There isn't much to say about it - you can use it
within a CFQUERY tag to wrap a variable that you're
Lundis [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 11:05 PM
To: CF-Talk
Subject: Re: Hacking CF Web Sites and Applications
Interested in hearing more about the cfqueryparam tag... 4.5 version
addition I suspect?
Syntax and use in Mastering ColdFusion 4.5 book leave a lot
Cummings [EMAIL PROTECTED]
Date: Mon, 13 Aug 2001 23:21:26 -0400
Subject: RE: Hacking CF Web Sites and Applications
If you're interested in more detailed information, you might want to
check out the following KB article - which goes in to a pretty fair
bit
of detail - specifically related to Oracle
-Original Message-
From: Don Vawter [EMAIL PROTECTED]
Date: Sun, 12 Aug 2001 09:00:38 -0600
Subject: Re: Hacking CF Web Sites and Applications
I have a page on preventing url hacks which was derived from the
school of
hard knocks after it happened to me
http://www.vawter.com/urlhack.cfm
Daryl Fullerton wrote:
Hi all,
Any one got general advice on how to prevent hackers from getting access to
CF sites via back doors and tampering with data
Non-scoped variables are my favourites if I have to prove somebodies
security is bad ;)
We dont want the hackers to be able to
- Original Message -
From: Don Vawter [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Sunday, August 12, 2001 11:00 AM
Subject: Re: Hacking CF Web Sites and Applications
I have a page on preventing url hacks which was derived from the school of
hard knocks after it happened to me
http
Sorry to scare you. Just a demo. Doesn't do anything
- Original Message -
From: Bill Davidson [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Sunday, August 12, 2001 3:22 PM
Subject: Re: Hacking CF Web Sites and Applications
Hey Don. I was just checking out your page on the drop
:04 PM
Subject: Re: Hacking CF Web Sites and Applications
Don,
Was it you who had wrote the URL filed filter to eliminate DROPs and
such?? A conversation tat went around a few weeks ago and got lost in
my massive inbox :)
We have been experiencing tons of the IDA exploit attempts... Started
PROTECTED]
Date: Sun, 12 Aug 2001 09:00:38 -0600
Subject: Re: Hacking CF Web Sites and Applications
I have a page on preventing url hacks which was derived from the
school of
hard knocks after it happened to me
http://www.vawter.com/urlhack.cfm
- Original Message
, August 12, 2001 10:38 AM
To: CF-Talk
Subject: Hacking CF Web Sites and Applications
Hi all,
Any one got general advice on how to prevent hackers from getting access to
CF sites via back doors and tampering with data
We dont want the hackers to be able to change data via URL strings.
e.g
PROTECTED]]
Sent: Sunday, August 12, 2001 10:38 AM
To: CF-Talk
Subject: Hacking CF Web Sites and Applications
Hi all,
Any one got general advice on how to prevent hackers from getting access
to
CF sites via back doors and tampering with data
We dont want the hackers to be able to change
27 matches
Mail list logo