While site security is an important issue with the +.htr
bugs or anything that expose your source code I want to
point out a few things.
NEVER put the username and password in your templates!
Always write your queries so that a new query cant be passed
via a URL and do what they want, that should NOT be possible.
A proper encryption scheme for credit cards will render
encrypted CC data totally useless. Encrypt with your
public key, key the private key is completely offline or
at least internal network only. As many people have
suggested to me, just plain dont store the CC, but if
its a must it can be done with a good degree of security.
In my mind as I have previously expressed the largest
danger is the exposure of your intellectual property
and everything that goes with that.
Assuming you are properly coding your CF data modification
via Raw queries should not be possible. If someone just
happens to find one little omission and they wreak havoc on
your DB and render your site useless, backups can cure that
situation quite easily. What you cant fix is the fact that
someone now has their own copies of your code. You cant just
undo that from someones memory. All of these other issues
are peripherial to good programming practice and good business
practice.
Jeremy Allen
elliptIQ Inc.
>-----Original Message-----
>From: Gary McNeel, Jr. [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, December 19, 2000 11:55 AM
>To: CF-Talk
>Subject: RE: Danger of the +.htr bug
>
>
>Absolutely there is a danger. Just off the top of my head I can think of a
>few. These may not be best practice but:
>
>1. If you put the username and password in a CFQUERY they can see that (and
>anything else).
>2. If you just hard code a password or IP range to be blocked, or other
>information that should not be seen.
>3. If you have a client you do work for THEY have copyright to the code.
>They paid for it, it is theirs.
>4. Any CF comments become visible. You may be explaining a business process
>and it gets read by someone who does not need to know about it.
>
>Because you may have a bunch of people coding, you cannot anticipate what
>may or may not be put in the code.
>
>-Gary
>
>> -----Original Message-----
>> From: Eric Dawson [mailto:[EMAIL PROTECTED]]
>> Sent: Tuesday, December 19, 2000 10:15 AM
>> To: CF-Talk
>> Subject: Re: Danger of the +.htr bug
>>
>>
>> Is there any danger to the +.htr beyond being able to view the
>> source code
>> of the site?
>>
>> ie if you want my source code ... 1.) Why? I don't want it, but
>> am forced to
>> code it, and 2.) It might be easier to ask me for it, cause I'll
>> zip up all
>> the files and email it to you.
>>
>> Eric
>>
>>
>> From: "Jamie Keane" <[EMAIL PROTECTED]>
>> Reply-To: [EMAIL PROTECTED]
>> To: CF-Talk <[EMAIL PROTECTED]>
>> Subject: Re: Cool CF site - webos.org
>> Date: Tue, 19 Dec 2000 08:57:29 -0500
>>
>> The fact that they don't have the +.htr bug patched. Veeeeery
>> interesting.
>>
>> Cheers,
>> Jamie
>>
>> --
>> Jamie Keane
>> Programmer
>> SolutionMasters, Inc.
>> 9111 Monroe Rd., Suite 100
>> Charlotte, NC 28270
>> www.solutionmasters.com
>> 704.563.5559 x 228 Voice
>> 704.849.9291 Fax
>> -----Original Message-----
>> From: Gena <[EMAIL PROTECTED]>
>> To: CF-Talk <[EMAIL PROTECTED]>
>> Date: Monday, December 18, 2000 5:41 PM
>> Subject: Re: Cool CF site - webos.org
>>
>>
>> >Pardon,
>> >
>> >do you mean this web site or my message???
>> >
>> >Regards
>> >
>> >
>> >----- Original Message -----
>> >From: "Jamie Keane" <[EMAIL PROTECTED]>
>> >To: "CF-Talk" <[EMAIL PROTECTED]>
>> >Sent: Tuesday, December 19, 2000 9:20 AM
>> >Subject: Re: Cool CF site - webos.org
>> >
>> >
>> >> *ROFL*
>> >>
>> >> That's the funniest thing I've seen this month!
>> >>
>> >> --
>> >> Jamie Keane
>> >> Programmer
>> >> SolutionMasters, Inc.
>> >> 9111 Monroe Rd., Suite 100
>> >> Charlotte, NC 28270
>> >> www.solutionmasters.com
>> >> 704.563.5559 x 228 Voice
>> >> 704.849.9291 Fax
>> >> -----Original Message-----
>> >> From: Gena <[EMAIL PROTECTED]>
>> >> To: CF-Talk <[EMAIL PROTECTED]>
>> >> Date: Monday, December 18, 2000 4:54 PM
>> >> Subject: Re: Cool CF site - webos.org
>> >>
>> >>
>> >> >And what is cool on this site? I found only one thing - it
>> is possible
>> to
>> >> >get all source code from this URL. It is not cool.
>> >> >
>> >> >----- Original Message -----
>> >> >From: "Eric Fickes" <[EMAIL PROTECTED]>
>> >> >To: "CF-Talk" <[EMAIL PROTECTED]>
>> >> >Sent: Tuesday, December 19, 2000 8:00 AM
>> >> >Subject: Cool CF site - webos.org
>> >> >
>> >> >
>> >> >> Hello all,
>> >> >>
>> >> >> I was wondering if any of you have seen/used www.webos.org yet? I
>> >> noticed
>> >> >> that it's using CF, so I was hoping that some of you may have an
>> answer
>> >> to
>> >> >> my question. WebOs emulates a desktop, and pops up windows within
>> one
>> >> >large
>> >> >> parent window. I would love to do this on my inhouse site for
>> >navigation
>> >> >> and was wondering if any of you knew how to do this.
>> >> >>
>> >> >> E
>> >> >>
>> >> >>
>> >> >>
>> >> >
>> >>
>> >
>>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
