On Tuesday 06 Mar 2007, Mik Muller wrote:
> will allow any access unless the referer is the same domain and of the
> paired edit/add page (with a few exceptions), ie; page_edit.cfm and
> page_edit_action.cfm (gotta love lists... my favorite thing). I did this
Without realising that some people don
On 3/6/07, Robertson-Ravo, Neil (RX)
<[EMAIL PROTECTED]> wrote:
> Couldn't you provide the functionality of adding a google search box in the
> CMS. That way you control how it is added /displayed etc?
I think you're working very hard to preserve a textbook definition of
what you think the client'
uot;
Visit our website at http://www.reedexpo.com
-Original Message-
From: Matt Robertson
To: CF-Talk
Sent: Tue Mar 06 23:59:38 2007
Subject: Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX)
<[EMAIL PROTECTED]> wrote:
> Isn't that the whole point of a CMS?
On 3/6/07, Dave Watts <[EMAIL PROTECTED]> wrote:
> > It is my job to make them aware of the risks. Not to tell
> > them what their job should and should not be.
>
> Perhaps you should reread your question, and my response.
Well, here's what I am keying on. I originally said
> Explain successfull
On 3/6/07, Robertson-Ravo, Neil (RX)
<[EMAIL PROTECTED]> wrote:
> Then surely the CMS isn't doing it's job? They are coding when the CMS
> should be managing the work?
ONLY if you rigidly define the CMS' job by your definition. What if
the customer -- who owns the system, after all, and is paying
On 3/6/07, Robertson-Ravo, Neil (RX)
<[EMAIL PROTECTED]> wrote:
> Isn't that the whole point of a CMS? It should negate the need for users to
> "code"
I would answer that a lot of things "should" be in this world but
reality doesn't always conform to the textbook definition. In the
real world peo
:20 2007
Subject: Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX)
<[EMAIL PROTECTED]> wrote:
> Surely there can be no real justification for them to do JS which you do
not
> provide as a developer?
Well, the web page they are maintaining is kept inside of a cms, and
On 3/6/07, Robertson-Ravo, Neil (RX)
<[EMAIL PROTECTED]> wrote:
> Surely there can be no real justification for them to do JS which you do not
> provide as a developer?
Well, the web page they are maintaining is kept inside of a cms, and
the site owner's staff needs to input little bits of js into
edexpo.com
-Original Message-
From: Mary Jo Sminkey
To: CF-Talk
Sent: Tue Mar 06 21:56:07 2007
Subject: Re: XSS - Cross Site Scripting
>Surely there can be no real justification for them to do JS which you do
not
>provide as a developer?
In a CMS there certainly may be. I've run
> It is my job to make them aware of the risks. Not to tell
> them what their job should and should not be.
Perhaps you should reread your question, and my response.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instr
>Surely there can be no real justification for them to do JS which you do not
>provide as a developer?
In a CMS there certainly may be. I've run into similar issues with CFWebstore
where customers often want to input some kind of custom script in some pages
(Bizrate popup during checkout for ins
On 3/6/07, Dave Watts <[EMAIL PROTECTED]> wrote:
> That is part of your job as a developer,
It is my job to make them aware of the risks. Not to tell them what
their job should and should not be. In this case the job was to input
javascript into a web page that was a part of their existing CMS.
>memo to me. pay attention
LOL...of course I *never* make the mistake of answering the wrong question. ;-)
--- Mary Jo
~|
Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 &
Flex 2.
Free Trial
htt
edexpo.com
-Original Message-
From: Matt Robertson
To: CF-Talk
Sent: Tue Mar 06 22:45:44 2007
Subject: Re: XSS - Cross Site Scripting
On 3/6/07, Dave Watts <[EMAIL PROTECTED]> wrote:
> And, if you're going to allow users to provide arbitrary JavaScript,
Its what the client dem
On 3/6/07, Dave Watts <[EMAIL PROTECTED]> wrote:
> And, if you're going to allow users to provide arbitrary JavaScript,
Its what the client demanded and based on their needs it was a
justifiable request.
By 'draconian' I meant that the protection is applied to all form
inputs, regardless of user
> Explain successfully to the client why they can't do the work
> they want, and they shouldn't want it, and you can tut all
> you like. I'll even let a 'harumph' slide :D
That is part of your job as a developer, unfortunately. If you make them
aware of the (very serious) risks resulting from
On 3/6/07, Mary Jo Sminkey <[EMAIL PROTECTED]> wrote:
> For XSS? How does that do anything? It will prevent SQL injection, but that's
> a
> totally different attack.
memo to me. pay attention
--
[EMAIL PROTECTED]
Janitor, The Robertson Team
mysecretbase.com
~~~
> An old tried and true defense component is cfqueryparam.
>
> Search for "xss" and "cross-site scripting" and you should
> find a wealth of information going back years on the subject.
I'm sure you're already aware of this, but as helpful as CFQUERYPARAM is, it
will not do anything to prevent X
>An old tried and true defense component is cfqueryparam.
For XSS? How does that do anything? It will prevent SQL injection, but that's a
totally different attack.
>The CF7 admin-level defense is, I have to say, not something I have
>any comfort level with. So far its gotten itself shut off f
Sent: Tue Mar 06 22:16:37 2007
Subject: Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX)
<[EMAIL PROTECTED]> wrote:
> CMS users adding JS?! Tut tut :-)
Explain successfully to the client why they can't do the work they
want, and they shouldn't want it, and y
On 3/6/07, Robertson-Ravo, Neil (RX)
<[EMAIL PROTECTED]> wrote:
> CMS users adding JS?! Tut tut :-)
Explain successfully to the client why they can't do the work they
want, and they shouldn't want it, and you can tut all you like. I'll
even let a 'harumph' slide :D
--
[EMAIL PROTECTED]
Janitor
-Talk
Sent: Tue Mar 06 21:54:51 2007
Subject: Re: XSS - Cross Site Scripting
An old tried and true defense component is cfqueryparam.
Search for "xss" and "cross-site scripting" and you should find a
wealth of information going back years on the subject.
The CF7 admin-level
An old tried and true defense component is cfqueryparam.
Search for "xss" and "cross-site scripting" and you should find a
wealth of information going back years on the subject.
The CF7 admin-level defense is, I have to say, not something I have
any comfort level with. So far its gotten itself s
The built in script protection has a secunia vulnerability posted against it
stating there is a method to circumvent it. You can find it here:
http://secunia.com/advisories/23281/
Simply checking the domain submitting is the referral etc is not always fool
proof as we've found individuals on cer
If you're using MX7 they have a setting called scriptProtect that can be set
in both app.cfm an app.cfc to protect an individual scope or "ALL". That
should do the job to a certain extent.
Rob
-Original Message-
From: Mik Muller [mailto:[EMAIL PROTECTED]
Sent: 06 March 2007 16:44
To: CF-
25 matches
Mail list logo