On Mon, Nov 19, 2012 at 1:48 PM, Jamie Bowers jamiembow...@netscape.netwrote:
Somewhat related, how do I determine that any hot-fix or security patch I
may download and install is indeed installed?
Jamie, one thing I'd like to point out is that if your are using CF7 then
you have unpatched
And using the cfparam tags will help stop these type of attacks?
They can, but more importantly you have to either:
- not use values from the browser directly within functions, etc
- or, identify the range of acceptable values for these, and filter
accordingly.
Is there a good cold
I haven't done Coldfusion since CF4, however recently have been
tasked to look at a CF7MX appilication that has 3 security
issues they are looking to fix.
1. Cross Site Scripting - I believe I have this one figured out
using the Admin Pannel's Enable global script protection
2.
Yes there are resources online regarding this type of thing, did you check
the links I sent you in my previous reply.
On Fri, Nov 16, 2012 at 4:50 PM, Jamie Bowers jamiembow...@netscape.netwrote:
I haven't done Coldfusion since CF4, however recently have been
tasked to look at a CF7MX
And using the cfparam tags will help stop these type of attacks?
They can, but more importantly you have to either:
- not use values from the browser directly within functions, etc
- or, identify the range of acceptable values for these, and filter accordingly.
Is there a good cold fusion
relying on enable script protection is like closing your front door and
thinking you can't get burgled.
It may stop the casual opportunist who sees your door open and decides to
rob you, but a professional burglar wont walk in via the front door anyway,
he will find another way in.
In the same
First thing is you will want o wrap all of your query variables with a
cfqueryparam tag. I also wrap them with the XMLFormat() function as that
will render strings non-executable. For example...
Select x,y,z
From tablename
Where xx=cfqueryparam cfsqltype=CF_SQL_Integer
First thing is you will want o wrap all of your query variables with a
cfqueryparam tag. I also wrap them with the XMLFormat() function as that
will render strings non-executable. For example...
Select x,y,z
From tablename
Where xx=cfqueryparam cfsqltype=CF_SQL_Integer
I haven't done Coldfusion since CF4, however recently have been tasked to
look at a CF7MX appilication that has 3 security
issues they are looking to fix.
1. Cross Site Scripting - I believe I have this one figured out using the
Admin Pannel's Enable global script protection
2. Format
Matt Robertson wrote:
Finally to my question: How can I make this process more secure?
Don't do it at all?
I got to this part of the post, then realized I'd have to go back, and
try to turn the description into something that I could plug into the
word this in the proffered question, then
Well, if your sensitive data is in a cfsavecontent variable that gets
stored to your DB, I'm not sure I see why that is insecure. The CF
server won't let the user see that, so even if a miscreant manages to
find your security alert page, all they will see is the content you let
them see. But if
Nope. This isn't about telling where a person comes from at all, or
even whether thay have permission to view a template. That part is
already down pat.
There are situations where a hit to a template is something that
warrants not just a refusal to deliver the requested template, but a
security
On 10/20/05, Munson, Jacob [EMAIL PROTECTED] wrote:
Well, if your sensitive data is in a cfsavecontent variable that gets
stored to your DB, I'm not sure I see why that is insecure.
Me neither but I wanted to ask for some extra eyeballs to look at this
couldn't you send the security alert
Email addresses are usually gathered using a spider
http://www.whatis.com/definition/0,,sid9_gci213035,00.html , which grabs
pages and takes out the email addresses on it.
Sometimes people use something like
joe AT online.com
or
[EMAIL PROTECTED]
etc...
to prevent this.
WG
-Original
November 2002 11:32
To: CF-Talk
Subject: RE: security question
Email addresses are usually gathered using a spider
http://www.whatis.com/definition/0,,sid9_gci213035,00.html , which grabs
pages and takes out the email addresses on it.
Sometimes people use something like
joe AT online.com
Marwan,
Here's how I take care of the situation.
The database field that stores your password needs to be a 32
(var)character.
When validating a user I select based upon the username only, and then I
compare the database password with the hashed user password. Something
like the following is
I have not used the hash function but this is the code straight from
allaires website:
CFIF Hash(Form.Password) IS NOT MyQuery.PasswordHash
CFLOCATION URL=unauthenticated.cfm
/CFIF
I beleive your code should work.
Do you have CF Server 4.5? (use #server.coldfusion.productversion# to find
PROTECTED]]
Sent: Thursday, April 26, 2001 12:13 PM
To: CF-Talk
Subject: RE: Security Question - Revisited
I have not used the hash function but this is the code straight from
allaires website:
CFIF Hash(Form.Password) IS NOT MyQuery.PasswordHash
CFLOCATION URL=unauthenticated.cfm
/CFIF
I
Well, I'm not sure what the actually security of it is, but we use the
encrypt and decrypt functions included in CF to store the passwords in our
SQL 7 database. It wasn't all that difficult to implement. I've heard talk
on other lists about more secure ways to encrypt / decrypt the password
Marwan,
There is a new function add to CF 4.5.1 called hash(). It is mentioned
in the release notes. hash() creates an MD5 Hash of the what ever
string you feed it. I use this function to encrypt the passwords of my
users before I write to the DB. This works quite well for me.
Josh Meekhof
20 matches
Mail list logo