What is the security issue exactly?
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 20 May 2014 03:19, Matthew Smith chedders...@gmail.com wrote:
/Had it working a couple of times but I think I am having pathing issues
here and there. NOt sure where I am off
The try catch seems peculiar. If the first CFimage fails and throws an
error, things go inside the cfcatch. The first line inside there is the
same as the very first, so I would assume you are really getting 2 of the
same errors in a row, and not catching the second.
I can only see this working,
The first call is to the ./resize/ directory for the already processed
image. If that fails, the source image is read, processed, and saved
into the ./resize/ directory.
At a glance it seems like this code should work OK. I'm no sure what
Matthew's question is either. (As long as
/Had it working a couple of times but I think I am having pathing issues here
and there. NOt sure where I am off... Any help is appreciated...
cftry
cfimage action=read name=myImage
?
Hi Nick,
Yes if you have the following:
Content-Security-Policy: default-src 'self';
It will block any scriptcode here/script tags in your page, you can
only use script src=/some/uri/script
This is a recognized problem in CSP1.0 and CSP 1.1 is currently in
development right now with two
Hi Pete,
I've been researching CSP and it sounds like a pretty cool option. But, I
just wanted to follow up on this comment that you made
below:-- it will also block inline
scripts and style elements--
Are you
every user of the site but the attacker can use the hole to
eventually get the info they are after.
Re: the content security policy, that looks very interesting. Watching a
presentation on it now. One quick question. If we are using that on a
site
and then an admin comes in and uses an iframe
tags you allow.
However relying on passwords alone is almost pointless these days unless
you at the very least enforce some password strength, as your security is
then only as strong as the person with the weakest password.
You could consider some extra steps for any back end/cms system
Dave, this is an interesting idea which we haven't pursued yet. I don't
have a clear sense of how the server configuration would work here. Would
you have two separate db servers (one for authored content and one for
published content) that would sync up? Or would you have an authoring
protection).
So basically any time you take a variable that comes from the user or some
other untrusted source and output it, you have the potential for an XSS
hole.
Also you should checkout Content-Security-Policy headers this can help
reduce XSS risks significantly on browsers that support it. See
, won't
it be clean? I guess that, assuming we have no sql injection to the db, I
don't see how that attack stays persistent (as it would possibly for a
comment or forum post). Sorry to be over-simple on this.
Re: the content security policy, that looks very interesting. Watching a
presentation
You could manage the web.config ip filter via cf.
You can also have the option to disable 2 factor authentication for a
specific computer for 30 days which is a common option, using either a
cookie or ip logging.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 3 Mar
Hi Russ,
This is very interesting. In this case, we limit failed logins to a fairly
small number before the login is disabled so in theory that would prevent
dictionary style attacks, even against fairly weak logins. If you think
that is flawed, let me know.
We've discussed adding an IP
Nick you are correct, strictly speaking. That simple example is harmless,
it runs only one time and is 'visible' only to the single client. Consider
what happens if the payload that is executed is nowhere nearly as benign.
At that point, code of some kind is being executed on your server that
To clarify, I was oversimplifying above when I said 'code is being executed
on your server'. Pete's script example would of course need to link up
with some other vulnerability for that to happen (i.e. an unpatched exploit
of some kind).
Since you can't predict such things, you minimize the
:29 AM
To: cf-talk
Subject: Re: Best practices for xss security in CMS?
I'm very interested in your feedback on best practices when 1) trying
to mitigate risk of XSS and other hacks while 2) providing CMS
functionality that includes a web editor that clients use to publish web
pages
, 2014 9:39 AM
To: cf-talk
Subject: Re: Best practices for xss security in CMS?
with any decent editor including CKeditor and tinyMCE, you can specify down
to a granular level which html tags and attributes are allowed/not allowed,
just check the docs and there should be a config file somewhere
...@gmail.com]
Sent: Friday, February 28, 2014 11:10 AM
To: cf-talk
Subject: Re: Best practices for xss security in CMS?
Sorry, I only read as far as disabling Javascript and was commenting on
that. The fact remains that anything done *clientside* is not reliable. It
seems we're not disagreeing
practices for xss security in CMS?
That's a bit narrow-sighted.
Hackers don't disable JS to bypass clientside pre-validation, they just post
the form directly. Often the server code is not coded in such a way to be
aware how a post is made (via a legit form, or just by a POST request).
*Always
-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk]
Sent: Friday, February 28, 2014 11:58 AM
To: cf-talk
Subject: Re: Best practices for xss security in CMS?
tsk, not reading properly before replying is very naughty, I will set
Charlie Arehart on you.
I am quite confident
are managing these issues effectively. Our
users who are creating web pages with an editor (FCKeditor) are generally
working behind a login as administrators, so there is that login security -
not anyone can use the editor to create a web page. But, we have generally
had a lot more security than
who are creating web pages with an editor (FCKeditor) are generally
working behind a login as administrators, so there is that login
security -
not anyone can use the editor to create a web page. But, we have
generally
had a lot more security than that.
I'm assuming that there are users
with an editor (FCKeditor) are
generally
working behind a login as administrators, so there is that login
security -
not anyone can use the editor to create a web page. But, we have
generally
had a lot more security than that.
I'm assuming that there are users of Mura, Farcry and other CMS's
them in making their web pages.
I'd love to know how others are managing these issues effectively.
Our
users who are creating web pages with an editor (FCKeditor) are
generally
working behind a login as administrators, so there is that login
security -
not anyone can use
but don't frustrate them in making their web pages.
I'd love to know how others are managing these issues effectively.
Our
users who are creating web pages with an editor (FCKeditor) are
generally
working behind a login as administrators, so there is that login
security
with an editor (FCKeditor) are
generally
working behind a login as administrators, so there is that login
security -
not anyone can use the editor to create a web page. But, we have
generally
had a lot more security than that.
I'm assuming that there are users
Sorry, I only read as far as disabling Javascript and was commenting on
that. The fact remains that anything done *clientside* is not reliable. It
seems we're not disagreeing there,
Certainly having a WAF is borderline essential on anything other than a
trivial site. I'm not entirely sure doing
tsk, not reading properly before replying is very naughty, I will set
Charlie Arehart on you.
I am quite confident that fuseguard would do a better job than a generic
WAF on a CF site, and anyone of shared hosting wont really have the option
to do a server wide solution.
but certainly if you use
Hi Nick,
It is tricky to handle HTML content while avoiding XSS, there are a two
tools I'm aware of that can help you here:
1) scrubHTML() - This is one I built in pure CFML and I think it is pretty
easy to build a whitelist of allowed html using it:
https://github.com/foundeo/cfml-security
Thanks very much Pete.
We have implemented Portcullis among other things and that will also block
tags like the ones mentioned. I think that may be similar to the ones that
you mention. I expect that Fuseguard has something similar.
I guess my follow up question may have to be with what
are managing these issues effectively. Our
users who are creating web pages with an editor (FCKeditor) are generally
working behind a login as administrators, so there is that login security -
not anyone can use the editor to create a web page. But, we have generally
had a lot more security than
I need to create 2 things:
- a mobile application: I need it to keep logged for an X period of time or
forever..
- a set of web services that manage user creation, authentication and
authorization for the mobile app, in CF.
I am new to Adobe CF.
I was looking may be for some WS-Security
was looking may be for some WS-Security approach using tokens (STS), but
not sure if it is the right way, or how to start. Currently, I am trying to
understand the Axis2 Rampart extension:
http://axis.apache.org/axis2/java/rampart/
Any advice on this topic
Is CF sandbox security intended to secure the application runtime
environment or is it intended to secure directory and folder access
during development when developers upload and access files? Or is it
intended for both?
Thanks Russ and Dave. I suspected it was as both of you have said
Is CF sandbox security intended to secure the application runtime environment
or is it intended to secure directory and folder access during development when
developers upload and access files? Or is it intended for both?
For example, are sandboxes the way to go if we want to restrict
a sandbox.
Regards
Russ Michaels
www.michaels.me.uk
www.cfmldeveloper.com - Free CFML hosting for developers
www.cfsearch.com - CF search engine
On Apr 2, 2013 6:10 PM, Earl, George george.e...@ssa.gov wrote:
Is CF sandbox security intended to secure the application runtime
environment
Is CF sandbox security intended to secure the application runtime environment
or is it intended to secure directory
and folder access during development when developers upload and access files?
Or is it intended for both?
Sandbox security and developer-specific CF Admin/RDS logins together
Hello --
I installed the security patch last night on cf 9.1 linux, and woke up this
morning to find that some of our templates no longer work:
[Wed Jan 16 09:28:27 2013] [notice] jrApache[1978: 53193] returning error page
for JRun too busy or out of memory
They return a 500 error
Terry,
I assume you are referring to the latest patch released earlier this
week. Since it was a cumulative patch, it included some previously
released security improvements as well as the new ones. One of the
older security improvements was to add a Post Parameter Limit setting
to prevent
@houseoffusion.com
Sent: Wednesday, January 16, 2013 8:49 AM
Subject: Re: JRun errors after security patch install
Terry,
I assume you are referring to the latest patch released earlier this
week. Since it was a cumulative patch, it included some previously
released security improvements as well
Another:
http://blogs.coldfusion.com/post.cfm/a-new-security-advisory-for-coldfusion-is-now-available
On Fri, Jan 4, 2013 at 7:55 PM, Eric Bourland e...@ebwebwork.com wrote:
Claude, thank you. That's really helpful information and gives me
perspective. Eric
-Original Message
First official comment from Adobe(?)
http://blogs.adobe.com/psirt/2013/01/upcoming-security-advisory-for-coldfusion.html
On Thu, Jan 3, 2013 at 8:11 AM, Robert Rhodes rrhode...@gmail.com wrote:
I looked into this a bit more this morning, and have realized that I may
have gotten very lucky
Things must be bad if they are issuing something that ominous-sounding
without a solution.
--
--m@Robertson--
Janitor, The Robertson Team
mysecretbase.com
~|
Order the Adobe Coldfusion Anthology now!
Don't get me wrong, I detest hackers and their exploits, but i think the
way this one works quite ingenious. My server did get hit, but after
reviewing the log files and checking for changes, I don't think they did
anything. I am thankful for that, cause they could have done some major
damage.
but i think the way this one works quite ingenious.
I'm not sure if it is as much ingenious as the breach is gross, frankly.
Have you seen how the schedule task could have been set?
~|
Order the Adobe Coldfusion Anthology
Yes
Sent from my iPhone
On Jan 4, 2013, at 12:28 PM, Claude Schnéegans schneeg...@internetique.com
wrote:
but i think the way this one works quite ingenious.
I'm not sure if it is as much ingenious as the breach is gross, frankly.
Have you seen how the schedule task could have been
: New Security Issue with CF
Reply-To: cf-talk@houseoffusion.commailto:cf-talk@houseoffusion.com
Yes
Sent from my iPhone
On Jan 4, 2013, at 12:28 PM, Claude Schnéegans
schneeg...@internetique.commailto:schneeg...@internetique.com wrote:
but i think the way this one works quite ingenious.
I'm
-
From: Steve Artis [mailto:st...@artisdesigns.com]
Sent: Friday, January 04, 2013 1:30 PM
To: cf-talk
Subject: Re: New Security Issue with CF
Yes
Sent from my iPhone
On Jan 4, 2013, at 12:28 PM, Claude Schnéegans
schneeg...@internetique.com wrote:
but i think the way this one works
I downloaded and reviewed the h.cfm file -- yeah, it is pretty clever.
The file itself is some tool designed to be used by developers, probably not
developed by rhe hacker himself. He just found a way to store it on servers.
but how did that hacker place the h.cfm file in /CFIDE/ to begin
The file itself is some tool designed to be used by developers, probably
not developed by rhe hacker himself. He just found a way to store it on
servers.
I've seen this tool make the rounds before through other attack
vectors. It's been around since at least ColdFusion MX 6. The
I agree. It is the insertion method I am intrigued by. It is that type of non
linear thinking that we as developers use to create elegant solutions. The
tool is ugly, and not that special, but the insertion method is clever.
What I don't understand is why adobe would allow something like
PM
To: cf-talk
Subject: Re: New Security Issue with CF
I downloaded and reviewed the h.cfm file -- yeah, it is pretty clever.
The file itself is some tool designed to be used by developers, probably not
developed by rhe hacker himself. He just found a way to store it on servers.
but how did
...@gmail.com
Date: Thu, Jan 3, 2013 at 12:00 AM
Subject: Re: New Security Issue with CF
To: cf-talk@houseoffusion.com
Thanks. I saw that afterwards. I was freaking out a bit there. Still am.
:(
I have gone through the logs on that server (windows 2008 R2 server running
IIS7.5 and CF9.02
A new CF security issue was just discovered a few days ago. You may want to
forward this information to whomever is your CF Admin.
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
To make a very long story short, the exploit allows a hacker to upload a file
and also read the following article.
http://www.michaels.me.uk/post.cfm/securing-your-coldfusionmx-installation-on-windows
On Wed, Jan 2, 2013 at 7:47 PM, Larry Lyons larrycly...@gmail.com wrote:
A new CF security issue was just discovered a few days ago. You may want
to forward
Thanks for posting. I thought I had my stuff locked down pretty well
but I screwed up and left a door open. The nature of this is almost
unbelievably nasty.
--
--m@Robertson--
Janitor, The Robertson Team
mysecretbase.com
~|
Lyons larrycly...@gmail.com wrote:
A new CF security issue was just discovered a few days ago. You may want
to forward this information to whomever is your CF Admin.
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
To make a very long story short
Michaels r...@michaels.me.uk wrote:
and also read the following article.
http://www.michaels.me.uk/post.cfm/securing-your-coldfusionmx-installation-on-windows
On Wed, Jan 2, 2013 at 7:47 PM, Larry Lyons larrycly...@gmail.com
wrote:
A new CF security issue was just discovered
needed to lock down the /CFIDE/
directory, yet make /CFIDE/scripts/ available for use by ColdFusion?
All of my web sites and databases seem unaltered. But I am obviously a
nervous wreck about this new security hole.
Eric
-Original Message-
From: Raymond Camden [mailto:raymondcam...@gmail.com
security issue was just discovered a few days ago. You may
want
to forward this information to whomever is your CF Admin.
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
To make a very long story short, the exploit allows a hacker
at 7:47 PM, Larry Lyons larrycly...@gmail.com
wrote:
A new CF security issue was just discovered a few days ago. You may
want
to forward this information to whomever is your CF Admin.
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
To make a very
, Jan 2, 2013 at 7:47 PM, Larry Lyons larrycly...@gmail.com
wrote:
A new CF security issue was just discovered a few days ago. You may
want
to forward this information to whomever is your CF Admin.
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
On Mon, Nov 19, 2012 at 1:48 PM, Jamie Bowers jamiembow...@netscape.netwrote:
Somewhat related, how do I determine that any hot-fix or security patch I
may download and install is indeed installed?
Jamie, one thing I'd like to point out is that if your are using CF7 then
you have unpatched
fusion security premier online about these
kinds of things somewhere?
I'd start with the CF 9 Lockdown Guide - while it doesn't really talk
about secure programming specifically, it does give you an idea of
the
range and functionality of vulnerabilities. That is really well
written, and I
I haven't done Coldfusion since CF4, however recently have been
tasked to look at a CF7MX appilication that has 3 security
issues they are looking to fix.
1. Cross Site Scripting - I believe I have this one figured out
using the Admin Pannel's Enable global script protection
2
appilication that has 3 security
issues they are looking to fix.
1. Cross Site Scripting - I believe I have this one figured out
using the Admin Pannel's Enable global script protection
2. Format String Injection
3. Parameter Based Buffer Overflow
I have been able to find
security premier online about these kinds of
things somewhere?
I'd start with the CF 9 Lockdown Guide - while it doesn't really talk
about secure programming specifically, it does give you an idea of the
range and functionality of vulnerabilities. That is really well
written, and I think every CF
I haven't done Coldfusion since CF4, however recently have been tasked to look
at a CF7MX appilication that has 3 security issues they are looking to fix.
1. Cross Site Scripting - I believe I have this one figured out using the Admin
Pannel's Enable global script protection
2. Format String
/
The quick and simple solution would probably be to use Fuseguard.
http://foundeo.com/security/
On Thu, Nov 15, 2012 at 4:55 PM, Jamie Bowers jamiembow...@netscape.netwrote:
I haven't done Coldfusion since CF4, however recently have been tasked to
look at a CF7MX appilication that has 3
...@threeravensconsulting.com
tel: 630-486-5255
fax: 630-310-8531
http://www.threeravensconsulting.com
-Original Message-
From: Jamie Bowers [mailto:jamiembow...@netscape.net]
Sent: Thursday, November 15, 2012 10:55 AM
To: cf-talk
Subject: Security Question(s)
I haven't
...@threeravensconsulting.com
tel: 630-486-5255
fax: 630-310-8531
http://www.threeravensconsulting.com
I haven't done Coldfusion since CF4, however recently have been tasked to
look at a CF7MX appilication that has 3 security issues they are looking to
fix.
1. Cross Site Scripting
I haven't done Coldfusion since CF4, however recently have been tasked to
look at a CF7MX appilication that has 3 security
issues they are looking to fix.
1. Cross Site Scripting - I believe I have this one figured out using the
Admin Pannel's Enable global script protection
2. Format
Hi All,
I am using input hidden fields for some CGI variables. The security scan has
issued 'information leakage' threat. These variables are defined in a file and
the file is included in various places. What is the best way to resolve this
vulnerability?
Thanks
Hi
I created a template that checks variables against threats and then use a
collection=#form# cfloop that tests all form variables including the hidden
fields against the threats.
It solved that particular PCI security compliance check.
rob
On 4 Oct 2012 at 9:57, fun and learning wrote
and then use a
collection=#form# cfloop that tests all form variables including the
hidden
fields against the threats.
It solved that particular PCI security compliance check.
rob
On 4 Oct 2012 at 9:57, fun and learning wrote:
Hi All,
I am using input hidden fields for some CGI
what information is passed around in the hidden fields, is it anything that
could be used to hijack sessions, get into users accounts or personal
details etc ?
On Thu, Oct 4, 2012 at 3:11 PM, Rob Voyle robvo...@voyle.com wrote:
It is remotehost,remoteaddress
move it into a session variable instead and that will solve that issue.
On Thu, Oct 4, 2012 at 4:05 PM, fun and learning funandlrnn...@gmail.comwrote:
what information is passed around in the hidden fields, is it anything
that
could be used to hijack sessions, get into users accounts or
?
On Thu, Oct 4, 2012 at 9:57 AM, fun and learning funandlrnn...@gmail.comwrote:
Hi All,
I am using input hidden fields for some CGI variables. The security scan
has issued 'information leakage' threat. These variables are defined in a
file and the file is included in various places. What
I was presented with some questions regarding XML and was wondering if there
are any setting in Coldfusion to
disable any of these or I do not need to worry about it since we do not use
any XML in our code:
1. How application employs methods for XML schema validation.
2. How
I was presented with some questions regarding XML and was wondering if there
are any setting in Coldfusion to disable any of these or I do not need to worry
about it since we do not use any XML in our code:
1. How application employs methods for XML schema validation.
2. How application
That's correct Chad. If you run linux or strict casing this is also a
security improvement over loose DTD as well.
It eerily close to SOX compliance questions that auditors generally
ask when reviewing apps.
On Thu, Apr 5, 2012 at 8:52 AM, Chad Baloga cbal...@gmail.com wrote:
I was presented
functionality entirely in Fckeditor in CF 8 9?
Yes I have seen all sorts of posts trying to bypass this, but not
Being a security expert myself or a Java programmer I sure would
Like to hear from any of you out there what is out there for us
To use in order to give our clients what Coldfusion gave us
Russ,
Thank you for your reply, but you missed my point.
I am looking for any Secure methods of locking down
My (F)ckeditor's File Browser as I stated I am not
A security expert nor do I know how to program in
Java.
I do not know how to re-enable the file browser and
Lock it down. I just
see this article for options.
http://www.michaels.me.uk/post.cfm/fckeditor-security-threat-in-coldfusion-8
if you want more control then you will need to install a standalone
copy of fckeditor within your site and not use the one built into CF
Russ
On Sat, Dec 3, 2011 at 12:05 PM, Terry Troxel
Russ,
I am using the standalone editor and have been since the first attacks over
a year ago, but the last couple of Coldfusion security patches have made the
image browser inoperable in the standalone as well. I have file and image
uploading disabled and allow users to only see the image folder
PM, Terry Troxel terry.tro...@gmail.com wrote:
Russ,
I am using the standalone editor and have been since the first attacks over
a year ago, but the last couple of Coldfusion security patches have made the
image browser inoperable in the standalone as well. I have file and image
uploading
, December 03, 2011 2:29 PM
To: cf-talk
Subject: Re: Fckeditor Security Issues
A coldfusion patch or update only makes changes to coldfusion and the
cfadmin, it doesn't touch your website files, so if your fckeditor is
breaking after and update then you must still be using the cf built in
one or the error
sure the built-in version not the standalone is disabled.
Terry
-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk]
Sent: Saturday, December 03, 2011 2:29 PM
To: cf-talk
Subject: Re: Fckeditor Security Issues
A coldfusion patch or update only makes changes
Can you help me disable the built-in Version?
-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk]
Sent: Saturday, December 03, 2011 4:08 PM
To: cf-talk
Subject: Re: Fckeditor Security Issues
by only disabling the built in version and not the standalone version surely
the security issues in built in version will be disabled simply by
installing the security patches and updates, you don't need to do
anything else.
On Sun, Dec 4, 2011 at 12:22 AM, Terry Troxel terry.tro...@gmail.com wrote:
Russ,
Either I am speaking a different language then you or you
Ok, so that's handled. Why will my standalone still giving me the xml error?
Terry
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
Terry,
It is a very easy fix. All you need to do is to add an additional
argument to the JVM settings in you CF Admin. Here is a blog post
which explains it.
http://www.petefreitag.com/item/718.cfm
On Sat, Dec 3, 2011 at 9:16 PM, Terry Troxel terry.tro...@gmail.com wrote:
Ok, so that's
Am I correct in assuming the Adobe has turned off the Image Browser
functionality entirely in Fckeditor in CF 8 9?
Yes I have seen all sorts of posts trying to bypass this, but not
Being a security expert myself or a Java programmer I sure would
Like to hear from any of you out there what
Ditto that for CF 8.0.1 version 8,0,0,0
discussed here:
http://forums.adobe.com/thread/865583?tstart=0
Not seeing any issues once hotfix is applied with datasources myself. I only
access Microsoft SQL.
I posted regarding CF 9.0.1 with hotfix here:
Ditto CF 9.0.1 and 8.0.1 with patch
http://kb2.adobe.com/cps/907/cpsid_90784.html
applied gives error when CFAdmin UI Data Services Data Sources
verify all connections.
CF8\runtime\log\coldfusion-out.log reports:
06/20 12:40:21 Warning [jrpp-2] - There was an error while verifying the token.
Of interest CF Server Manager verify all datasources works OK. I posted a
screen cut here:
http://forums.adobe.com/message/3749967#3749967
Regards, Carl.
- CF 9.0.1 and 8.0.1 I'm logged out when I click on Verify all
datasources in CFIDE: There was an error accessing this page. Check
logs for
I'm seeing some problems after applying the update to 2 CF servers
(both standard):
- CF 8.0.1 the version in Server Settings Settings Summary is now
8,0,1,0;
- CF 9.0.1 and 8.0.1 I'm logged out when I click on Verify all
datasources in CFIDE: There was an error accessing this page. Check
http://www.adobe.com/support/security/bulletins/apsb11-14.html
--
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction
To: cf-talk
Subject: Re: cgi.host_name Security Exploit
What about an ecommerce system that hits the test ecom system when in
dev mode? If I knew your code did that, or suspected, I'd try it and
use one of the many common test CC numbers, like 4111.
Actually, I've seen that number work
a security flaw that I have reported to the
Adobe
team regarding the use of the variable cgi.host_name.
As you know, the cgi.host_name is typically the hostname of the server
or
the websites domain name. I've discovered an exploit that allows a user
to
basically change this variable
1 - 100 of 2711 matches
Mail list logo
