good code.
cfabort in application.cfm?
I think I'll do the same.
- Original Message -
From: "Andrew Grosset" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Saturday, December 18, 2004 4:36 PM
Subject: Re: Securing CF Apps against SQL I
I just put the following in my application template to check all urls:
tmp = urldecode(cgi.query_string);
// remove all opening and closing tags..
tmp = Replace(tmp, "<", "", "ALL");
tmp = Replace(tmp, ">", "", "ALL");
// remove oth
Would you be willing to share your modded cf_codecleaner custom tag?
Thanks!
MAD
> Yes, I did virtually the same except I modified cf_codecleaner to do
> the CompareNoCase within the tag, email me the details and cflocation
> (I'm going to make a "special" 500 page as I can't get cfheader to
>
> On IIS you can use the Microsoft tool URLScan for this,
> or the Aqtronix Web Knight. I believe this capability
> is built into IIS 6 on Win2K3, but I haven't used it
> yet to know for sure.
Yes, IIS 6 has an input filter, although it's not exactly the same as
URLScan.
Dave Watts, CTO, Fig Le
I'm jumping a little late into this discussion, but I see a couple of
things which haven't been discussed.
I think you need to do protection against XSS and SQL Injection in
multiple layers.
1.) Web Server / Application Server Layer
2.) Pre-Application Execution
3.) Post User Input / Pre Query
1
://msdn.microsoft.com/security/understanding/overview/default.aspx?p
ull=/msdnmag/issues/02/09/securitytips/default.aspx
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: 13 May 2004 10:42
To: CF-Talk
Subject: Re: Securing CF Apps against SQL Injection & Cross
Ian Vaughan wrote:
> How could I prevent
>
> ?name=alert('hi!');
>
> this type of input being added to the URL in Coldfusion ??
You can never prevent a visitor from adding things to a URL, you
can only design your application to respond properly to what has
been added to a URL. That means yo
How could I prevent
?name=alert('hi!');
this type of input being added to the URL in Coldfusion ??
Any ideas on how to prevent this ??
From: Matt Robertson [mailto:[EMAIL PROTECTED]
Sent: 07 May 2004 07:44
To: CF-Talk
Subject: RE: Securi
On Friday 07 May 2004 00:01 am, Andrew Grosset wrote:
> Works great in IE, but Mozilla Firebird ignores cfheader and displays the
*Really* ?!?
:tests
Bonkers.
I'd stick a cfabort in after the cfheader, just to be sure anyway.
--
Tom Chiverton
Advanced ColdFusion Programmer
Tel: +44(0)1749 8349
good ideas, all. Thanks for sharing!
Matt Robertson [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Sett
> Andrew Grosset wrote:
> >Works great in IE, but Mozilla Firebird ignores cfheader and displays
>
> >the page as normal...
>
> I put in right afterwards :D
>
> Here's the whole test I'm using. I put this into application.cfm and,
> as you say, it only eats a max of 15ms.
>
>
>
> Cleanurl
Andrew Grosset wrote:
>Works great in IE, but Mozilla Firebird ignores cfheader and displays
>the page as normal...
I put in right afterwards :D
Here's the whole test I'm using. I put this into application.cfm and, as you say, it only eats a max of 15ms.
--
-
Works great in IE, but Mozilla Firebird ignores cfheader and displays the page as normal...
>My turn for a dumb question: Would this be all there is to it?
>
>
>
>
>
>--Matt Robertson--
>MSB Designs, Inc.
>http://mysecretbase.com
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubsc
John wrote:
>what codecleaner does? and where do I find it?
http://tinyurl.com/2vo8k
--
---
Matt Robertson, [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
---
--
[Todays Threads]
[This Message]
what codecleaner does? and where do I find it?
> Jim wrote:
> >How do I use it?
>
> For just a form var its completely painless. CodeCleaner is just a
> custom tag, so you either put it into the current folder or the custom
> tags folder. Then, on a form post page you would validate all of
>>Why not return a 500 (or other perment) HTTP error ?
>Yes, that would be a better solution.
My turn for a dumb question: Would this be all there is to it?
--Matt Robertson--
MSB Designs, Inc.
http://mysecretbase.com
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
Jim wrote:
>How do I use it?
For just a form var its completely painless. CodeCleaner is just a custom tag, so you either put it into the current folder or the custom tags folder. Then, on a form post page you would validate all of your form fields with it. I do it in a block like you see bel
Ok I know stupid answer is comming up for this question. I downloaded the Codecleaner. How do I use it? Do I add it to my application.cfm? If so How do I? and what is the tag line in the form?
Jim
> CodeCleaner is an absolutely fantastic tag. Runs like lightning. I
> use cfqueryparam but n
When checking the query string I also decode it like this:
#urldecode(cgi.query_string)#
this is to escape any HTML escaped encoding
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
Yes, that would be a better solution.
>Why not return a 500 (or other perment) HTTP error ?
>
>--
>Tom Chiverton
>Advanced ColdFusion Programmer
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
On Thursday 06 May 2004 01:29 am, Andrew Grosset wrote:
> same as the scrubbed result (tmp). If caller.check GT 0 then I email myself
> the details and throw them out to google!
Why not return a 500 (or other perment) HTTP error ?
--
Tom Chiverton
Advanced ColdFusion Programmer
Tel: +44(0)1749
I'm checking to see whether the original input (attributes.input) is the same as the scrubbed result (tmp). If caller.check GT 0 then I email myself the details and throw them out to google!
My theory being is if somebody is "playing" with the urls I don't want to show them the scrubbed result (in
CodeCleaner is an absolutely fantastic tag. Runs like lightning. I use cfqueryparam but nonetheless I still scrub form inputs with it.
What did you need to modify in CodeCleaner to make it scrub urls? I glanced at it very quickly and it seems like it'll take whatever you feed it.
--
--
I would like to emphasise reading "Understanding the cause and effect of CSS (XSS) Vulnerabilities " at http://www.technicalinfo.net/papers/CSS.html as recommended previously by Dave Watts.
If you weren't paranoid about XSS before reading this article you might be after! Besides the obvious danger
I would like to emphasise reading "Understanding the cause and effect of CSS (XSS) Vulnerabilities " at http://www.technicalinfo.net/papers/CSS.html as recommended previously by Dave Watts.
If you weren't paranoid about XSS before reading this article you might be after! Besides the obvious danger
y are procedures better? (was: RE: Securing CF Apps.)
> Yes, we are having a generic technical debate, and what I am saying is
> that
> when the team setup or hierarchical setup is not ideal, separating
> work out
> makes the project move along faster. Stored procs come into play here
o: CF-Talk
Subject: RE: why are procedures better? (was: RE: Securing CF Apps.)
> I certainly understand your position. But what does that have
> to do with comparing stored procedures to queries? It may
> matter in your particular situation, but we are supposed to
> be having a generic
been approved or sanctioned by these organizations. This e-mail is
unclassified based on the definitions in E.O. 12958.
-Original Message-
From: Matt Liotta [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 9:36 AM
To: CF-Talk
Subject: Re: Securing CF Apps.
> yes matt. it is t
> All this talk of ways to cracking systems has me paranoid.
>
> So what is the best way to pass a variable between 2 pages?
>
> Using SSL, encrypting/decrypting a session variable (or CFID
> CFTOKEN)?
If you're worried about third parties being able to view HTTP requests and
responses betwee
, 2004 10:52 AM
To: CF-Talk
Subject: Re: Securing CF Apps.
> That's precisely what I'm saing. Once deployed, the schema owner is
> disabled. Now of course an sa account exists, but an sa account will
> exists on every db server, just as and admin account exists on every
> OS. F
t; Steve
>-Original Message-
>From: Matt Liotta [mailto:[EMAIL PROTECTED]
>Sent: Wednesday, March 24, 2004 10:26 AM
>To: CF-Talk
>Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
>
>Maybe I don't understand your set
So are you advocating cfincludes with queries instead of stored procs?
Steve
-Original Message-
From: Matt Liotta [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 10:26 AM
To: CF-Talk
Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
Maybe I don&#
> That's precisely what I'm saing. Once deployed, the schema owner is
> disabled. Now of course an sa account exists, but an sa account will
> exists on every db server, just as and admin account exists on every
> OS. Furthermore, all client tool connections are disabled as well. The
> only thi
icise.
I look forward to you presentation on security.
-adam
> -Original Message-
> From: Matt Liotta [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 24, 2004 03:07 PM
> To: 'CF-Talk'
> Subject: Re: Securing CF Apps.
>
> > Actually there isn't. Com
>
> psycho nazi dba's need to first get over themselves...
>
> a view to the tables can obscure enough if that's the reason...
>
Now Tony, I think thats a bit strong! Some companies employ people to know
exactly whats going on with the DB. More a reflection of the value of
information and the c
- Original Message -
From: "Steve Nelson"
Do
> you have a development Oracle server you could try this on? I'm very
curious
> if there is a difference.
I haven't tested since we switched to CFMX, but on CF 5.0 with Oracle 8.17,
the "injected" sql would fail as invalid when it hit the dr
- Original Message -
From: "Greg Luce"
> Have you used ER Studio?
Nope, I use SQL Navigator & SQL Plus, Oracle behind those. Don't think
there's any auto-generating of stored procs in it. Don't think my boss would
think it worthwhile to plop down more money just for that, either.
[Todays
Maybe I don't understand your setup. In some CFM, you have to either
call cfquery or cfstoredproc. If you need to change either the query or
the stored procedure, you will need to edit this file. Now in either
case, you could simply use a cfinclude to separate out either into a
separate file th
>
> > The problem I always have with this example, despite the fact that 9/10
> > the example itself doesn't work, is that it takes 2 minutes to set up
> > appropriate users for databases with appropriate grant levels and you
> > can even set the statements that can be executed in the DNS sett
> I'm not quite clear on this. Of course SP's aren't the only way of
> separating business logic from presentation but aren't they one
> possible
> means of doing so? SP's allow developers to abstract or separate
> server-side
> functions from the client-side GUI. Multiple statements and
> c
> Actually there isn't. Common sense dictates that your schema owner /
> dba is disabled on production once its deployed. Furthermore there is
> never a need for the schema owner or dba to have an account in your
> application. So again, you trying to argue against Oracle and SQL
> security, wh
> Maybe I wasn't clear in my reply to that statement. There is
> nothing inherent about stored procedures which makes them
> better for separating out work. It is in fact the same amount
> of work to separate queries as it is stored procedures.
Well... As I already pointed out:
Developer1 - Us
Stephen Moretti wrote:
>>Stephen Moretti wrote:
>>> You are quite correct.
>>>
>>> Jochem's example will wind up with all the DROP TABLE junk in the text
>>> field.
>>
>> Read again what I wrote about C-style escaping. Or just test it.
>
> Blows up on mySQL, but I see your point for less secure d
Message-
> From: Matt Liotta [mailto:[EMAIL PROTECTED]
> Sent: 24 March 2004 13:10
> To: CF-Talk
> Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
>
>
> The use of cfquery vs cfstoredproc has nothing to do with
> separation of
> presentation f
> Stephen Moretti wrote:
> > You are quite correct.
> >
> > Jochem's example will wind up with all the DROP TABLE junk in the text
> > field.
>
> Read again what I wrote about C-style escaping. Or just test it.
>
Blows up on mySQL, but I see your point for less secure databases like
Oracle..
> > That is a myth. Stored procedures are only faster than
> > dynamic queries; not prepared statements. In fact, in some
> > cases it is possible for a stored procedure to actually be
> > slower than a dynamic query.
>
> This is simply your opinion which differs greatly from the DBAs
> I've be
> Yes, we are having a generic technical debate, and what I am saying is
> that
> when the team setup or hierarchical setup is not ideal, separating
> work out
> makes the project move along faster. Stored procs come into play here
> in
> that someone can tackle this aspect while other things
speaking on CF Security at CFUN?
-adam
> -Original Message-
> From: Matt Liotta [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 24, 2004 02:33 PM
> To: 'CF-Talk'
> Subject: Re: Securing CF Apps.
>
> > yes matt. it is true that there is a dba login t
> Alright, so far you've just said all these ideas are pointless. What
> do you suggest?
>
See the archives where I answered that question.
-Matt
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
> This is simply your opinion which differs greatly from the DBAs I've
> been involved with.
>
It isn't my opinion; it is an easily provable fact. Go ask your DBAs
what the difference in execution between a prepared statement and a
stored procedure is. The answer is nothing. But, don't take my w
> I certainly understand your position. But what does that have
> to do with comparing stored procedures to queries? It may
> matter in your particular situation, but we are supposed to
> be having a generic technical debate.
Yes, we are having a generic technical debate, and what I am saying i
> yes matt. it is true that there is a dba login to every database. of
> course no one using the application has the role of dba. so what is
> your point?
>
The point is the login is there and can be exploited. No matter how
much you lock down the schema, there is always one user account which
> Well not all of us are in positions to control every aspect of a
> project..
> Nor are the people that are in charge always in line proper ways of
> doing
> things. I'm just another person on the lower end of the totem pole. If
> everything ran as it should we wouldn't be having this conver
Alright, so far you've just said all these ideas are pointless. What do you suggest?
-adam
> -Original Message-
> From: Matt Liotta [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 10:15 PM
> To: 'CF-Talk'
> Subject: Re: Securing CF Apps.
>
&g
-Original Message-
From: Matt Liotta [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 9:13 AM
To: CF-Talk
Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
> I don't think there have been convincing arguments that SPs help from
> a security stan
> From: Jochem van Dieten
>
> This type of coding can be insecure. Just imagine what would
> happen in Oracle, MySQL or any other database that use
> C-style escaping when combined with:
> "h4ck3r\'; DROP TABLE users; COMMIT; --">
But if you're using CFQUERYPARAM, then that wouldn't effect any
F-Talk'
> Subject: Re: Securing CF Apps.
>
> > are you arguing semantics or ideas on how to lock down a cf
> > application. locking down the CFIDE is just another catch. it may just
> > be enforcing your database lockdown, but it another layer of
> > enforc
ination of several items. The
only way I've done that is with a dynamically built query within a stored
proc and from what I gather, you lose all speed benefits with that design.
--
marlon
> Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
>
> > I don't
Stephen Moretti wrote:
> You are quite correct.
>
> Jochem's example will wind up with all the DROP TABLE junk in the text
> field.
Read again what I wrote about C-style escaping. Or just test it.
> If you try that against a numeric field, then you wind up with invalid
> SQL which will throw a
the quotes, not the database. Do
you have a development Oracle server you could try this on? I'm very curious
if there is a difference.
Steve Nelson
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 3:34 AM
To: CF-Talk
Subject: RE: w
etter handle on the data make someone a better
coder since the get the whole picture???
-Original Message-
From: Stephen Moretti [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 9:09 AM
To: CF-Talk
Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
You are
> If your application is properly modularized there shouldn't
> be all those different things in the same file anyway.
Well not all of us are in positions to control every aspect of a project..
Nor are the people that are in charge always in line proper ways of doing
things. I'm just another pers
, March 24, 2004 3:34 AM
> To: CF-Talk
> Subject: RE: why are procedures better? (was: RE: Securing CF Apps.)
>
> This type of coding can be insecure. Just imagine what would happen in
> Oracle, MySQL or any other database that use C-style escaping when
> comb
> I don't think there have been convincing arguments that SPs help from a
> security standpoint, but from a performance standpoint I don't think
> it's debatable.
>
That is a myth. Stored procedures are only faster than dynamic queries;
not prepared statements. In fact, in some cases it is possi
Yeah, but CF will double up those quotes automatically. At least I thought
it did.
Steve
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 3:34 AM
To: CF-Talk
Subject: RE: why are procedures better? (was: RE: Securing CF Apps
t: Wednesday, March 24, 2004 8:37 AM
To: CF-Talk
Subject: RE: why are procedures better? (was: RE: Securing CF Apps.)
I cant see the correlation either...
psycho nazi dba's need to first get over themselves...
a view to the tables can obscure enough if that's the reason...
and Im not sur
> Finally, I work in small teams quite often where we all need to make
> bets
> use of our time, so sometimes if we are pressed for time, one person
> will
> write the stored procs, while another works on the pages and another
> the
> layout and UI. Imagine the hassle of trying to work on the
ast time I bought ER Studio it was around $800, I'm sure it's
more now but it's one of my favorite tools.
Greg
-Original Message-
From: Deanna Schneider [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 8:39 AM
To: CF-Talk
Subject: Re: why are procedures better? (
> I find that the most valid reason for using stored procedures
> is for transaction processing. If I need to tie several
> pieces of functionality together in one database hit, then
> I'll put it in a stored proc. For example, I'm working on a
> nested set procedure right now, where I need to
> I find that the most valid reason for using stored procedures is for
> transaction processing. If I need to tie several pieces of
> functionality
> together in one database hit, then I'll put it in a stored proc. For
> example, I'm working on a nested set procedure right now, where I
> need
: Securing CF Apps.)
-Original Message-
From: Matt Liotta
If that's all, I guess I'll continue to use cfquery.
I find that the most valid reason for using stored procedures is for
transaction processing. If I need to tie several pieces of functionality
together in one database hit, then I
Original Message-
From: Stephen Barry [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 5:23 AM
To: CF-Talk
Subject: RE: why are procedures better? (was: RE: Securing CF Apps.)
While not wanting to get into the whole Stored Procedures V
argument, I have to say there are times wh
-Original Message-
From: Matt Liotta
If that's all, I guess I'll continue to use cfquery.
I find that the most valid reason for using stored procedures is for
transaction processing. If I need to tie several pieces of functionality
together in one database hit, then I'll put it in a stored
them - while I'm a big fan of separating business logic from
> presentation,
> for pure development speed you can't beat .
>
> - Steve Barry
>
> > -Original Message-
> > From: Matt Liotta [mailto:[EMAIL PROTECTED]
> > Sent: 24 March 2004 01:48
&
ion,
for pure development speed you can't beat .
- Steve Barry
> -Original Message-
> From: Matt Liotta [mailto:[EMAIL PROTECTED]
> Sent: 24 March 2004 01:48
> To: CF-Talk
> Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
>
>
> > 1. They
Steve Nelson said:
> Just out silly curiousity, I'd love to hear the
> advantages/disadvantages between these three versions of selecting a
> recordset from a db.
>
> version 1
> -
>
> select first_name
> from users
> where user_id='#url.user_id#'
>
Thi
Steve Nelson said:
> Is that true? Every time I've heard about some big new hack on
> Windows, big enough to make the news, the patch was either already
> available or available in less than 24 hours.
That they only make the news when Microsoft's marketing department
starts advertizing patch avail
lk
Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
> I am sure there are more reasons, but I think those are sufficient to
> use
> procedures.
>
If that's all, I guess I'll continue to use cfquery.
-Matt
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
I for one do not believe in creating definitions out of thin air to suit a
particular argument, as was done here.
-Original Message-
From: Tom Kitta [mailto:[EMAIL PROTECTED]
Sent: March 23, 2004 8:04 PM
To: CF-Talk
Subject: RE: RE: Securing CF Apps.
May I point out that definitions
>I am speaking at CFUN-04 on security, so for those of you interested;
>you should attend my talk.
I look forward to the talk and plan to attend assuming I do not get mugged
for starting this topic! It was great however to read the replies, I came in
looking for a little info as to how others wer
b d e s i g n
[EMAIL PROTECTED]
www.revolutionwebdesign.com
its only looks good to those who can see bad as well
-anonymous
-Original Message-
From: Matt Liotta [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 8:48 PM
To: CF-Talk
Subject: Re: why are procedures better? (was: RE: Sec
EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 10:20 PM
To: CF-Talk
Subject: RE: Securing CF Apps.
Also if a problem is discovered and a patch needs to be issued the mean
time
taken by Linux developers is less than that of Windows.
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubs
: Securing CF Apps.
> This depends on your experiences. I know for a fact that I have
> installed
> more patches to the Red Hat boxes I look after than to the
> W2k/XP/W2k3 boxes
> that I look after since Jan 1st 2004.
>
Patches for what? Patches for things that
money is a natural state :)
TK
[Tom Kitta]
-Original Message-
From: Kwang Suh [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 7:13 PM
To: CF-Talk
Subject: Re: RE: Securing CF Apps.
What a weak argument. Prove to me that is the definition of a web site.
- Original
esday, March 23, 2004 8:48 PM
To: CF-Talk
Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
> 1. They execute faster. The db (I only know from Oracle and SQL
> Server, if
> others are different it doesn't really concern me) can optimize the
> executio
> Again, I am using an open algorithm. You can break it. It's a speed
> bump.
>
That isn't a speed bump then. It would be more akin to a solid yellow
line. I seem to drive over those all the time.
> It also makes it more difficult to get something to go on, and makes
> it take
> more time.
> 1. They execute faster. The db (I only know from Oracle and SQL
> Server, if
> others are different it doesn't really concern me) can optimize the
> execution plan.
>
Prepared statements execute at the same speed as stored procedures.
> 2. You can often times do more. There are things I can
> This depends on your experiences. I know for a fact that I have
> installed
> more patches to the Red Hat boxes I look after than to the
> W2k/XP/W2k3 boxes
> that I look after since Jan 1st 2004.
>
Patches for what? Patches for things that aren't applicable don't count
because if you don't
> I have said time and again that I follow a layered approach to
> security.
> Would security through obscurity work in and of itself? No, it
> wouldn't.
> However combined with many of the other best practices we have
> discussed
> here today it can make for a reasonably well protected appl
> It was already proven by someone else in another post.
>
I saw a post with some stats, but nothing to prove your point. Let me
know when you can do that.
-Matt
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
> Listen, channeling a user so that they have to follow a certain process
> doesn't add hassles. If anything it stops them from leaving your app
> in the
> middle of a necessary step in a process, or makes it easier for them
> to
> navigate from point a to point b.
>
That is only true if ever
Precisely why I don't agree with pretty much everything you've stated today.
- Original Message -
From: "Heald, Tim" <[EMAIL PROTECTED]>
Date: Tuesday, March 23, 2004 4:28 pm
Subject: RE: Securing CF Apps.
> Why do I need someone to agree with me? I have
Steve Milburn wrote:
> I stumble across this article that may be of some interest:
> http://www.theinquirer.net/?article=13420
If we take the numbers at face value, it shows MS OS'es have more
advisories as the Linux kernel.
If we dig deeper, we see for instance:
http://secunia.com/product/143/
Mission accomplished! :-)
-Original Message-
From: Rob [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 5:09 PM
To: CF-Talk
Subject: RE: Securing CF Apps.
On Tue, 2004-03-23 at 14:58, Andy Ousterhout wrote:
> Let the semantic battle begin..
>
> U
Sent: Tuesday, March 23, 2004 6:09 PM
To: CF-Talk
Subject: RE: Securing CF Apps.
On Tue, 2004-03-23 at 14:58, Andy Ousterhout wrote:
> Let the semantic battle begin..
>
> Unless the point of this discussion is to argue, why not start with how
you
> define an application?
> > If you want a secure app, don't let users see your
> > fuseaction names.
>
> If you want a secure app, don't let anyone use it... ;)
Truer words were never written.
> As for using the security of your DB instead of
> application-based security - in my opinion this is possibly
> *less* se
What a weak argument. Prove to me that is the definition of a web site.
- Original Message -
From: "Heald, Tim" <[EMAIL PROTECTED]>
Date: Tuesday, March 23, 2004 3:38 pm
Subject: RE: Securing CF Apps.
> I think something used to either sell products on the web, or pr
I stumble across this article that may be of some interest:
http://www.theinquirer.net/?article=13420
_
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 5:53 PM
To: CF-Talk
Subject: Re: Securing CF Apps.
Heald, Tim wrote:
> M$ operating systems.
Heald, Tim wrote:
> 1. They execute faster. The db (I only know from Oracle and SQL Server, if
> others are different it doesn't really concern me) can optimize the
> execution plan.
Prepared statements have precompiled execution plans as well.
> 3. You can limit access with them. Now granted y
uesday, March 23, 2004 3:26 PM
> To: CF-Talk
> Subject: RE: Securing CF Apps.
>
> > Your statement is false, but since you made it, I'll let
> you prove it.
>
> This depends on your experiences. I know for a fact that I
> have installed
> more patches to the Red Ha
1 - 100 of 257 matches
Mail list logo
