Re: Question about my security system

Jim Davis wrote: > retrieve userlevel > > if userlevel=admin >Entitlements = delete, edit, post, read > It's still the template that's protecting itself, not the security system > enforcing rules over the template. Ok, your version is a much cleaner example of t

RE: Question about my security system

> -Original Message- > From: Mike Soultanian [mailto:[EMAIL PROTECTED] > Sent: Sunday, September 04, 2005 3:50 AM > To: CF-Talk > Subject: Re: Question about my security system > > Sorry, > Now, the standard setup that I've seen goes as following: Most >

Re: Question about my security system

> Sorry, > I don't think I did the best job explaining it. > My approach is definately not the standard setup. > The key here is abstraction; abstracting any group > membership checks from templates. I'll try and > lay it out a bit more simply: Hey Mike, you might have a look at the onTap framewor

RE: Question about my security system

>> Also, why wouldn't you trust the web server from >> providing the correct file name to the CF server? > It's not that I don't trust it... it's just that I don't > trust it. ;^) > If you're security system is based on this information >

Re: Question about my security system

Sorry, I don't think I did the best job explaining it. My approach is definately not the standard setup. The key here is abstraction; abstracting any group membership checks from templates. I'll try and lay it out a bit more simply: Now, let's say you have one single template called message.

RE: Question about my security system

> -Original Message- > From: Mike Soultanian [mailto:[EMAIL PROTECTED] > Sent: Sunday, September 04, 2005 1:27 AM > To: CF-Talk > Subject: Re: Question about my security system > > Jim Davis wrote: > > It seems like it might be overkill to tag every single page

Re: Question about my security system

ll it return the tag pathname, the application.cfm pathname, or the actual file that was requested by the user? Also, why wouldn't you trust the web server from providing the correct file name to the CF server? > As for which is "more secure" - neither. Where you put your co

Re: Question about my security system

Bobby Hartsfield wrote: > Being able to able to move and/or rename the templates and still have the > system keep track of them will most definitely prove to be tough if > everything else is important to you. Here's my plan, the system will check to see if a file has an ID at the top of it. If i

RE: Question about my security system

> -Original Message- > From: Mike Soultanian [mailto:[EMAIL PROTECTED] > Sent: Saturday, September 03, 2005 10:23 PM > To: CF-Talk > Subject: Question about my security system > > Like I mentioned in a previous post, I am creating a security system > that assig

RE: Question about my security system

e.com usually the default document in a CF app would be index.cfm so cgi.script_name in this case would be "index.cfm" -Original Message- From: Mike Soultanian [mailto:[EMAIL PROTECTED] Sent: Saturday, September 03, 2005 11:56 PM To: CF-Talk Subject: Re: Question about my secu

Re: Question about my security system

ry put an Application.cfm that includes your > "security script" so it is included in every template under that directory. > (You can also just include the parent application.cfm to bring any settings > in without duping any code.) In my case, every file would need to have the fil

RE: Question about my security system

I haven't seen the previous thread you mentioned but the "easiest" way to secure specific templates is to have them all located under a central location like /secure or /administrative or whatever. In the top level of that directory put an Application.cfm that includes your "

Question about my security system

Like I mentioned in a previous post, I am creating a security system that assigns each CF page it's own unique ID. Based on that file's id, it keeps track on who has access to that page. To do this, I was going to put a custom tag at the top of every page that I wanted to be secure

Re: fusebox security plugin

http://www.google.com/search?hl=en&lr=&q=%22TheOffice%22+fusebox On 8/24/05, wolf2k5 <[EMAIL PROTECTED]> wrote: > > On 8/23/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > as well as "TheOffice" which shows a more advanced example > > I cannot find it, do you have an URL? > > Thanks. > >

RE: (Security) Nigerian Scam Artist CAUGHT!

>Serving suggestion: http://www.sendaturd.com/ Ha! That would be unbelievably funny! > I caught my Nigerian Scam friend! Good going!! -Original Message- From: Clark Slater [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 23, 2005 9:32 PM To: CF-Talk Subject: RE: (Security) Ni

Re: fusebox security plugin

On 8/23/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > as well as "TheOffice" which shows a more advanced example I cannot find it, do you have an URL? Thanks. ~| Logware (www.logware.us): a new and convenient web-based time

RE: (Security) Nigerian Scam Artist CAUGHT!

>>Stil haven't figured out exactly how to handle giving him a USPS tracking number. >>hm... >>Will Serving suggestion: http://www.sendaturd.com/ ~| Logware (www.logware.us): a new and convenient web-based time tracking ap

Re: (Security) Nigerian Scam Artist CAUGHT!

>I assume both of them are internet noobs... respectable people you >admire who don't know better. > Both are the opposite of noobs. They're very proficient programmers - *extremely* intelligent people. That's what alarmed me. Will ~~~

Re: (Security) Nigerian Scam Artist CAUGHT!

> And for the record, the main > reason I posted this here is because I spoke with two > different people I admire and respect, and neither > believed it was a scam. They asked why I didn't just send > out the merchandise. I assume both of them are internet noobs... respectable people you admire w

Re: (Security) Nigerian Scam Artist CAUGHT!

>I'll let you know how it goes. > >I can't believe he used your form. No branding, formatting or anything >plain black and white form. Unbelievable. Sweet! DO keep us informed. And for the record, the main reason I posted this here is because I spoke with two different people I admire and resp

RE: (Security) Nigerian Scam Artist CAUGHT!

o branding, formatting or anything plain black and white form. Unbelievable. -Original Message- From: Michael Tangorre [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 23, 2005 5:16 PM To: CF-Talk Subject: RE: (Security) Nigerian Scam Artist CAUGHT! From: Bryan Stevenson [mailto:[EMAIL PR

RE: (Security) Nigerian Scam Artist CAUGHT!

From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Good on ya Willand Mike...you'd know this is on topic if you'd read the initial posts (including how Will built his scammer catching form). Thanks, I did read it. ~| Logware

Re: (Security) Nigerian Scam Artist CAUGHT!

From: "Michael Tangorre" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Tuesday, August 23, 2005 4:49 PM Subject: RE: (Security) Nigerian Scam Artist CAUGHT! >> From: Will Tomlinson [mailto:[EMAIL PROTECTED] >> Subject: (Security) Nigerian Scam Artist CAUGHT! &g

RE: (Security) Nigerian Scam Artist CAUGHT!

> From: Will Tomlinson [mailto:[EMAIL PROTECTED] > Subject: (Security) Nigerian Scam Artist CAUGHT! cf-community ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracki

(Security) Nigerian Scam Artist CAUGHT!

untem TWOOO CC numbers. I immediately inspect my DB and the bounty, contact VISA fraud Dept., give them ALL the info. They confirmed it was a Nigerian scam, and the cardholders had been notified about the security of the cards being compromised. The moral of the story is, next time you'

Re: fusebox security plugin

as well as "TheOffice" which shows a more advanced example Original Message: - From: Brian Kotek [EMAIL PROTECTED] Date: Tue, 23 Aug 2005 12:27:44 -0400 To: cf-talk@houseoffusion.com Subject: Re: fusebox security plugin There is a simple security plugin within the Le

Re: fusebox security plugin

On 8/23/05, wolf2k5 <[EMAIL PROTECTED]> wrote: > I am looking for a sample security plugin for Fusebox 4.1. > Do you know any? Sandy Clark will be releasing one at the frameworks conference. > Also, is it possible to use CF security framework (cflogin, > IsUserInRole, etc.) w

Re: fusebox security plugin

There is a simple security plugin within the Let's Make a Deal sample application in the download section at Fusebox.org <http://Fusebox.org>. I believe it uses list-based security, but yes it is possible to modify the plugin or write your own that will use the cflogin securit

fusebox security plugin

Hi, I am looking for a sample security plugin for Fusebox 4.1. Do you know any? Also, is it possible to use CF security framework (cflogin, IsUserInRole, etc.) with Fusebox? If so, how? Thanks. ~| Find out how CFTicket can

Re: OT - Security Of Sensitive Data

Sounds like that pretty much precludes even dedicated hosting through an ISP. You'd need the box to reside inside of your building to confidently ensure those terms are met. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com ~~

RE: OT - Security Of Sensitive Data

Here's a link to a whitepaper on the subject of HIPAA's Final Security Rule. http://www.hipaadvisory.com/regs/finalsecurity/summaryanalysis.htm While I don't know one way or another if there's source code mandate in the Security Rule, under the Technical Safeguards header,

Re: OT - Security Of Sensitive Data

Matt Robertson wrote: > On 8/6/05, Jochem van Dieten <[EMAIL PROTECTED]> wrote: >> >> Does the HIPAA mandate something similar? > > Source code? As in if I use SQL Server I have to have access to the SQL > Server source (and ColdFusion source for that matter)? Yes. Not necessarily direct acce

Re: OT - Security Of Sensitive Data

On 8/6/05, Jochem van Dieten <[EMAIL PROTECTED]> wrote: > > Does the HIPAA mandate something similar? Source code? As in if I use SQL Server I have to have access to the SQL Server source (and ColdFusion source for that matter)? Doesn't do that, thankfully. Or by 'source' do you mean the sql/

Re: OT - Security Of Sensitive Data

I am not very familiar with HIPAA reglations, but it sounds like they are something like the procedural and technical guidelines from the Dutch Data Protection Authority. Those guidelines mandate that if you store class 2 or higher personal data (lots of relatively harmless data like name and a

Re: OT - Security Of Sensitive Data

After I raised hell and dave "disrupted" Hostmysite, they put in the work to make their servers more secure. However, VPS or dedicated hosting is the best way to make a functional CF server secure. On 8/6/05, Will Tomlinson <[EMAIL PROTECTED]> wrote: > I went through this sensitive data crap for a

RE: OT - Security Of Sensitive Data

> I also realized there is a market/demand for *SECURE* hosting > out there. Sure there is, and that demand is currently met using dedicated servers. Short of using dedicated servers, it's really hard to ensure an adequately secure environment. I think that server virtualization is a step in this

Re: OT - Security Of Sensitive Data

I went through this sensitive data crap for a client a while back. After talking with CT, and a few others, I decided it was too much trouble. I also realized there is a market/demand for *SECURE* hosting out there. Will www.codefusiongear.com

Re: OT - Security Of Sensitive Data

On 8/5/05, Russ <[EMAIL PROTECTED]> wrote: > > Don't forget that the free bluedragon doesn't support ssl... It's not very > well documented... > Geez you've got to be kidding me... OK you're not kidding. Wow if thats true that makes it pretty close to worthless IMHO. I was going to look into us

RE: OT - Security Of Sensitive Data

I agree there... all the limitations should be obvious and spelled out. -mk -Original Message- From: Russ [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 5:08 PM To: CF-Talk Subject: RE: OT - Security Of Sensitive Data Personally I think they could've documented it b

RE: OT - Security Of Sensitive Data

ake it into the docs... As far as BD6.1, it's too buggy for production use... -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 5:57 PM To: CF-Talk Subject: RE: OT - Security Of Sensitive Data Companies are in business to make money. An

RE: OT - Security Of Sensitive Data

s software product. They have offered something between development and production that has some limited use - that's a good thing, right? -Original Message- From: Damien McKenna [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 4:17 PM To: CF-Talk Subject: RE: OT - Security Of

Re: OT - Security Of Sensitive Data

sion is crippled like that... > >-Original Message- >From: Ken Ferguson [mailto:[EMAIL PROTECTED] >Sent: Friday, August 05, 2005 4:59 PM >To: CF-Talk >Subject: Re: OT - Security Of Sensitive Data > >Completely rules out using BD for any sort of commercial app doesn&#x

RE: OT - Security Of Sensitive Data

> -Original Message- > From: Ken Ferguson [mailto:[EMAIL PROTECTED] > > Completely rules out using BD for any sort of commercial app > doesn't it? That's kinda harsh. Their free version doesn't support SSL but their paid-for versions do. I personally think they could have bundled it

RE: OT - Security Of Sensitive Data

st 05, 2005 3:59 PM To: CF-Talk Subject: Re: OT - Security Of Sensitive Data Completely rules out using BD for any sort of commercial app doesn't it? I didn't realize this was the case. Thanks for letting me know; I can't tell you how mad I would have been if I'd wasted any t

RE: OT - Security Of Sensitive Data

Well I'm sure their paid versions support it... but yea, it's a shame the free version is crippled like that... -Original Message- From: Ken Ferguson [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 4:59 PM To: CF-Talk Subject: Re: OT - Security Of Sensitive Data

Re: OT - Security Of Sensitive Data

switch in the code that won't serve pages if you are using >the free BlueDragon version through ssl... I found out the hard way a few >months ago... > >-Original Message- >From: Mark A Kruger [mailto:[EMAIL PROTECTED] >Sent: Friday, August 05, 2005 4:45 PM >To: CF-T

RE: OT - Security Of Sensitive Data

Russ, Well - that changes a small project we was working on :). Glad you caught it before I did (ha). -Mark -Original Message- From: Russ [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 3:47 PM To: CF-Talk Subject: RE: OT - Security Of Sensitive Data Yea, there is a switch

RE: OT - Security Of Sensitive Data

bject: RE: OT - Security Of Sensitive Data Russ, Do you mean that the BD engine won't serve pages through an SSL connection? -Mark -Original Message- From: Russ [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 3:37 PM To: CF-Talk Subject: RE: OT - Security Of Sensitive Da

RE: OT - Security Of Sensitive Data

Russ, Do you mean that the BD engine won't serve pages through an SSL connection? -Mark -Original Message- From: Russ [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 3:37 PM To: CF-Talk Subject: RE: OT - Security Of Sensitive Data Don't forget that the free bluedrag

RE: OT - Security Of Sensitive Data

PROTECTED] Sent: Friday, August 05, 2005 4:21 PM To: CF-Talk Subject: Re: OT - Security Of Sensitive Data I would think at the very least you'd want a dedicated server... seeing as CT sells them for $70 monthly that ain't so bad, although you'd have to buy CF or work in BD compati

RE: OT - Security Of Sensitive Data

Don't forget that the free bluedragon doesn't support ssl... It's not very well documented... -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 4:21 PM To: CF-Talk Subject: Re: OT - Security Of Sensitive Data I would think at

Re: OT - Security Of Sensitive Data

I would think at the very least you'd want a dedicated server... seeing as CT sells them for $70 monthly that ain't so bad, although you'd have to buy CF or work in BD compatibility. SSL is cheap at US$50 for a good one. Don't use CT's shared SQL host. Install MSDE on your same server (free).

RE: OT - Security Of Sensitive Data

g around. Matt Osbun Web Developer Health Systems, International -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 12:54 PM To: CF-Talk Subject: RE: OT - Security Of Sensitive Data I would be very surprised if any shared hosting environment was secure e

RE: OT - Security Of Sensitive Data

can even go so far as to ONLY store > information like Client Number instead of identifying information like > name, etc. I would simply provide the nursing staff with a physical > listing of patient and ID numbers. > > My question becomes, since we are on a shared server, what >

RE: OT - Security Of Sensitive Data

can even go so far as to ONLY store > information like Client Number instead of identifying information like > name, etc. I would simply provide the nursing staff with a physical > listing of patient and ID numbers. > > My question becomes, since we are on a shared server, what >

RE: Security of GET vs. POST via HTTPS?

> -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 28, 2005 11:45 AM > To: CF-Talk > Subject: RE: Security of GET vs. POST via HTTPS? > > > We've got a 3rd party API that we call via HTTPS. They want the > > data

Re: Security of GET vs. POST via HTTPS?

> S.Isaac Dealey wrote: >>> Incorrect, they are both equally INSECURE. One could >>> argue that a post is slightly hidden by a thin veil. >>> But >>> it is not hard to look behind that veil and get all the >>> data. >> >> I take it you're recommending an alternative? ... Let me >> guess -- a >> ti

RE: Security of GET vs. POST via HTTPS?

he browser does not make it more secure. They are both plain text, easily accessible and equally insecure UNLESS one applies something like HTTPS which works equally on either a GET or a POST. To summarize GETS and POSTS are equal in security. -- Ian Skinner Web Programmer B

Re: Security of GET vs. POST via HTTPS?

S.Isaac Dealey wrote: >> Incorrect, they are both equally INSECURE. One could >> argue that a post is slightly hidden by a thin veil. But >> it is not hard to look behind that veil and get all the >> data. > > I take it you're recommending an alternative? ... Let me guess -- a > time-locked safe

RE: Security of GET vs. POST via HTTPS?

True, but as you said earlier, whether it is GET or POST does not matter they are equal in security. -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA "C code. C code run. Run code run. Please!" - Cynthia Dunning -Origin

Re: Security of GET vs. POST via HTTPS?

Dave Watts wrote: >> We've got a 3rd party API that we call via HTTPS. They want the >> data submitted via GET (i.e. URL strings) whereas its my >> understanding that POST would be more secure. Am I correct in >> my understanding or loosing my mind? > > You are incorrect, but I doubt you're los

RE: Security of GET vs. POST via HTTPS?

> Incorrect, they are both equally INSECURE. One could > argue that a post is slightly hidden by a thin veil. But > it is not hard to look behind that veil and get all the > data. I take it you're recommending an alternative? ... Let me guess -- a time-locked safe with a print copy of the data t

RE: Security of GET vs. POST via HTTPS?

> So it seems that the connection is made via SSL and *then* the > data is transmitted (URL, etc). This answers my question. Yes, that's correct. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our trai

RE: Security of GET vs. POST via HTTPS?

>> We've got a 3rd party API that we call via HTTPS. They >> want the >> data submitted via GET (i.e. URL strings) whereas its my >> understanding that POST would be more secure. Am I >> correct in >> my understanding or loosing my mind? > You are incorrect, but I doubt you're losing your mind. >

RE: Security of GET vs. POST via HTTPS?

http://support.microsoft.com/default.aspx?scid=kb;en-us;257591 So it seems that the connection is made via SSL and *then* the data is transmitted (URL, etc). This answers my question. Also: http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx -- Damien McKenna - Web Developer - [EMAIL PROTE

RE: Security of GET vs. POST via HTTPS?

> Incorrect, they are both equally INSECURE. One could argue > that a post is slightly hidden by a thin veil. But it is not > hard to look behind that veil and get all the data. HTTPS is secure enough for most purposes. To effectively read the requests and responses at will, you have to be at

Re: OT: Security of GET vs. POST via HTTPS?

> Pardon me for saying so, but I'm missing something obvious > in this. > We've got a 3rd party API that we call via HTTPS. They > want the data > submitted via GET (i.e. URL strings) whereas its my > understanding that > POST would be more secure. Am I correct in my > understanding or loosing >

RE: Security of GET vs. POST via HTTPS?

code run. Please!" - Cynthia Dunning -Original Message- From: Damien McKenna [mailto:[EMAIL PROTECTED] Sent: Thursday, July 28, 2005 8:30 AM To: CF-Talk Subject: OT: Security of GET vs. POST via HTTPS? Pardon me for saying so, but I'm missing somet

RE: Security of GET vs. POST via HTTPS?

> We've got a 3rd party API that we call via HTTPS. They want the > data submitted via GET (i.e. URL strings) whereas its my > understanding that POST would be more secure. Am I correct in > my understanding or loosing my mind? You are incorrect, but I doubt you're losing your mind. When you ma

OT: Security of GET vs. POST via HTTPS?

Pardon me for saying so, but I'm missing something obvious in this. We've got a 3rd party API that we call via HTTPS. They want the data submitted via GET (i.e. URL strings) whereas its my understanding that POST would be more secure. Am I correct in my understanding or loosing my mind? Thanks.

Re: Upload security?

On 7/21/05, Mark A Kruger <[EMAIL PROTECTED]> wrote: > Yes... something sadly lacking is an easy way to examine an http request for > size in advance. Its always amazed me that such a huge potential for killing a server isn't taken advantage of more often by 'evildoers'. I guess I just work on si

RE: Upload security?

Yes... something sadly lacking is an easy way to examine an http request for size in advance. -Mark -Original Message- From: Loathe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 21, 2005 8:37 PM To: CF-Talk Subject: RE: Upload security? True. At least it will be wiped out once

RE: Upload security?

True. At least it will be wiped out once uploaded though. To bad JS doesn't give us more access to a form field on the original page. Tim -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Thursday, July 21, 2005 9:28 PM To: CF-Talk Subject: RE: Upload sec

RE: Upload security?

arge files. -mk -Original Message- From: Loathe [mailto:[EMAIL PROTECTED] Sent: Thursday, July 21, 2005 8:26 PM To: CF-Talk Subject: RE: Upload security? nah, We check the cgi.content_length to ensure it's less than 5 megs before doing anything else. -Original Message-

RE: Upload security?

nah, We check the cgi.content_length to ensure it's less than 5 megs before doing anything else. -Original Message- From: Jennifer Larkin [mailto:[EMAIL PROTECTED] Sent: Thursday, July 21, 2005 8:39 PM To: CF-Talk Subject: Re: Upload security? The main problem with this is that p

Re: Upload security?

The main problem with this is that people can nail your server by uploading huge files that you have to upload before you can ttest to see if you can delete them. I've seen people complain that their 20M ..xls file isn't uploading as though I should support them doing such a thing. Good luck! On

RE: Upload security?

e the temp copy and throw an error. Ugly but it works. Tim -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Thursday, July 21, 2005 7:37 PM To: CF-Talk Subject: Re: Upload security? In addition to what Deanna said, why not specify the file types you will allow usin

Re: Upload security?

In addition to what Deanna said, why not specify the file types you will allow using CFFILE's ACCEPT parameter? The two for Excel are application/vnd.ms-excel and application/msexcel. However CFFILE determines MIME type via the file extension, which isn't exactly hackproof. If you allow file ren

Re: Upload security?

I've found that it only sees them that way if the user still has the file open. So, if this is an internal thing, you can usually fix it with a little education. You can also do a try catch and look for that error and give a nice little message about being sure to close the file before attempting t

Re: Upload security?

Loathe wrote: > > We have a requirement to allow for the uploading of a bunch of different > file types. The problem I am running into is with excel/xls and word > perfect/wpd. CF apparently sees these as application/octet-stream. CF sees them the way the uploading browser tells it to see them.

Upload security?

Hey, We have a requirement to allow for the uploading of a bunch of different file types. The problem I am running into is with excel/xls and word perfect/wpd. CF apparently sees these as application/octet-stream. Now there are a bunch of different file types included in that, to include com an

Re: Spectra 1.5.3, cftransaction and security tags

> And it's a known bugs, in Spectra 1.5.3 : > Macromedia Spectra 1.5.3 uses a database connection within > ColdFusion MX to call the security tags. Because of this, > the cftransaction tag may fail with multiple database > errors. > I have to use this 2 differents

Spectra 1.5.3, cftransaction and security tags

oldFusion MX to call the security tags. Because of this, the cftransaction tag may fail with multiple database errors. To work around this issue, you can directly create queries to the database for cftransaction calls. But I don't understand "create queries to the database for cftran

Re: Security Vulnerability in JRun

It should probably be noted that this Security Vulnerability is from September of last year and has the link to the MACR security patch in the summary. So unless you've had your JRun and Apache server running since last summer without any updates you'll be in good shape. Cheers, t

security via application.cfm

I didn't realize application.cfm could handle security but I was reading up on application.cfm in the archives and found a post describing something that would be useful to me. The reply has a link that doesn't work and I'd like to know if anyone has more information on it. H

Security Vulnerability in JRun

I thought I would post this heads up for people using JRun with Apache http://www.securityfocus.com/archive/1/377194 -- Mark Drew ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http:/

Re: Web Application Security with Coldfusion

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Vernon wrote: > The easiest way is to use cfqueryparam when putting in and use > HTMLEditFormat when displaying anything from the database that is user > input. That, and if you're writing something from the database out to a JavaScript string,

RE: Web Application Security with Coldfusion

The easiest way is to use cfqueryparam when putting in and use HTMLEditFormat when displaying anything from the database that is user input. Paul ~| Logware (www.logware.us): a new and convenient web-based time tracking applic

Web Application Security with Coldfusion

How can Coldfusion be used to filter metacharacters to reduce XSS Cross Site Scripting attacks. I.E. Converting < > to < and > ( to ( ) to ) # to #(#) & to &(&) Has anybody on the list implemented this in their Coldfusion apps to protect against XSS ? And am I correct in saying that using

RE: Shared CF Host security

>At the moment, if you use GetPageContext().include() on a JSP on my >SmarterLinux server you get a null pointer exception. > >Regardless, 2 is the case and the code will run in the CF security >context of the calling page. The CF sandboxing takes over in this case. >Anyone

RE: Shared CF Host security

At the moment, if you use GetPageContext().include() on a JSP on my SmarterLinux server you get a null pointer exception. Regardless, 2 is the case and the code will run in the CF security context of the calling page. The CF sandboxing takes over in this case. Anyone can verify this on their own

RE: Shared CF Host security

still handled through Resin, same situation applies. 2) Cf is hijacks it straight to JRun (which I think is more likely, since the user has put JSP code into a ColdFusion page, supposing that CF will happily run JSP code from a .cfm page. Not sure if that's correct behavior or not.). In

RE: Shared CF Host security

Ok somehow I doubled the thread and made two. Sorry! > > I thought I posted this the other day, but it didn't update for some > reason. Here it is again: > ~| Logware (www.logware.us): a new and convenient web-based time tra

Re: Shared CF Host security

Jochem, Can you email me offlist with what you're interested in? [EMAIL PROTECTED] Thanks! > > > So, security in a shared hosting environment isn't exactly a myth, > it just takes a little more work and flexibility. If anyone needs a > more technical explanati

RE: Shared CF Host security

James, Can you send me an email ([EMAIL PROTECTED]) with your domain name? I'll check on your server and see if it's misbehaving, and if so get it locked down by the end of the day. >Well, this isn't the case on my SmarterLinux server. I can still browse, >download and view every file on th

RE: Shared CF Host security

> I thought I posted this the other day, but it didn't update for some reason. > Here it is again: Never let it be said that HostMySite.com doesn't listen to it's customers. After much work we've been able to find a fix for the security issue that allows safe execut

RE: Shared CF Host security

From: "James Holmes" <[EMAIL PROTECTED]> Sent: Thursday, June 02, 2005 11:01 PM To: CF-Talk Subject: RE: Shared CF Host security Well, this isn't the case on my SmarterLinux server. I can still browse, download and view every file on the server using JSP. -Original Message-

RE: Shared CF Host security

Well, this isn't the case on my SmarterLinux server. I can still browse, download and view every file on the server using JSP. -Original Message- From: Jamie Price [mailto:[EMAIL PROTECTED] Sent: Friday, 3 June 2005 6:06 To: CF-Talk Subject: Re: Shared CF Host security Don'

RE: Shared CF Host security

Robertson [mailto:[EMAIL PROTECTED] Sent: Friday, 3 June 2005 7:04 To: CF-Talk Subject: Re: Shared CF Host security Thanks for the post, Jamie. I actually have a SmarterLinux hosting acct with you guys that runs my last-ditch server monitor for my dedicated boxes. Not exactly top secret code bu

Re: Shared CF Host security

;contains real lemon juice" figures @%*((&% From: Matt Robertson <[EMAIL PROTECTED]> Sent: Thursday, June 02, 2005 7:06 PM To: CF-Talk Subject: Re: Shared CF Host security Thanks for the post, Jamie. I actually have a SmarterLinux hosting acct with you guys that runs my last-ditch serv

<    5   6   7   8   9   10   11   12   13   14   >