RE: Session variables security

2011-01-26 Thread Andrew Scott 

No I haven't used it, and I am in a closed environment where I don't need to
worry about these things to much.

However, I brought it up because some people find that it would cost them
more to try to match the features, than to actually buy it.


Regards,
Andrew Scott
http://www.andyscott.id.au/


 -Original Message-
 From: Rob Voyle [mailto:robvo...@voyle.com]
 Sent: Wednesday, 26 January 2011 5:09 PM
 To: Andrew Scott; cf-talk@houseoffusion.com
 Subject: Re: Session variables security
 
 Hi Andrew
 
 have you used this firewall or others that are out there?
 I find I have a great hesitancy about proprietry add ons, as an old
engineer I
 like/d to work from first principles. I have had more problems and time
 wasted from firewalls and antivirus programs than they are supposed to
 prevent.
 
 Once I get a basic process established it is not much of a problem to add
it to
 the pages I am using.
 
 Rob
 


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341321
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Session variables security

2011-01-25 Thread Rob Voyle 

Hi Folks

I have several large forms connected to mySql tables.
I use cfqueryparam when querying and inserting data from the form after it has 
been validated for content that I need (no blank fields etc.)

I created the following validation to check for scripts etc being injected.

Is there anything else I should check for that would indicate someone was 
hacking the page.
Thanks

Rob 


cfloop index=checkVariables
list=#user#,
#upDate#,
#parts#,
#workshopCode1#,
#workshopCode2#,
#workshopCode3#,
#programCode#
delimiters = ,

cfif REFind('[~^*+={}|\\/\[\]]', checkVariables)
cfset badCharacter=yes
cfset errorData=h3You have an illegal character ~^*+={}|\/ 
in one of the fields/h3
/cfif

cfif 
REFindNoCase('onClick|onDblClick|onKeyDown|onKeyPress|onKeyUp|onMouseDo
wn|onMouseOut|onMouseUp|onMouseOver|
onBlur|onChange|onFocus|onSelect', checkVariables)
cfset badEvent=yes
cfset errorData=h3You have an illegal event in one of the 
fields/h3
/cfif

cfif 
REFindNoCase('script|object|applet|embed|form|layer|frame|frameset|param|m
eta|.exe|.bat', checkVariables)
cfset badAction=yes
cfset errorData=h3You have an illegal action script, object, 
applet, 
embed, form, layer, frame in one of the fields/h3
/cfif

cfif 
REFindNoCase('append|delete|char|declare|cast|execute|sp_sqlExecute|select|in
sert|update|drop|alter', checkVariables)
cfset badSql=yes
cfset errorData=h3You have an illegal database action append, 
delete, declare, cast, execute, sp_sqlExecute, select, insert, update, drop, 
alter 
in one of the fields/h3
/cfif

/cfloop


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341240
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: Session variables security

2011-01-25 Thread Andrew Scott 

I am wondering if it would be cheaper for you to take a look at
http://www.petefreitag.com/item/728.cfm it might cost you more trying to
protect in time coding and maintenance.

Regards,
Andrew Scott
http://www.andyscott.id.au/



 -Original Message-
 From: Rob Voyle [mailto:robvo...@voyle.com]
 Sent: Wednesday, 26 January 2011 11:53 AM
 To: cf-talk
 Subject: Re: Session variables security
 
 
 Hi Folks
 
 I have several large forms connected to mySql tables.
 I use cfqueryparam when querying and inserting data from the form after
it
 has been validated for content that I need (no blank fields etc.)
 
 I created the following validation to check for scripts etc being
injected.
 
 Is there anything else I should check for that would indicate someone was
 hacking the page.
 Thanks
 
 Rob


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341241
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Session variables security

2011-01-24 Thread Richard White 

Hi,

When the user logs in, I save their username to the session scope. 

Would i need to re-validate that username at the top of every page that uses it 
in a database query?

I previously thought this was not necessary but if it is possible for someone 
to send malicious sql injection then surely it is also possible (even though 
very unlikely) for someone to send code that changes the username stored in the 
session to some malicious sql injection.

thanks


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341131
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Session variables security

2011-01-24 Thread Ian Skinner 

On 1/24/2011 8:57 AM, Richard White wrote:
 Hi,

 When the user logs in, I save their username to the session scope.

 Would i need to re-validate that username at the top of every page that uses 
 it in a database query?

 I previously thought this was not necessary but if it is possible for someone 
 to send malicious sql injection then surely it is also possible (even though 
 very unlikely) for someone to send code that changes the username stored in 
 the session to some malicious sql injection.

 thanks

Only if there is a place in your code for them to do so.  If you have a 
vulnerable piece of code that can give unexpected and undesired results 
because of malicious inputs form the client, then you have a problem.

But it is not an insecurity in the session variables is is an insecurity 
in your application and how it is setting those variables.  There is no 
way for a user to send random code at a CF server and have it do 
anything to session variables unless it is happening somewhere in the 
CFML codebase.


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341133
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Session variables security

2011-01-24 Thread Richard White 

OK thanks Ian

On 1/24/2011 8:57 AM, Richard White wrote:

Only if there is a place in your code for them to do so.  If you have a 
vulnerable piece of code that can give unexpected and undesired results 
because of malicious inputs form the client, then you have a problem.

But it is not an insecurity in the session variables is is an insecurity 
in your application and how it is setting those variables.  There is no 
way for a user to send random code at a CF server and have it do 
anything to session variables unless it is happening somewhere in the 
CFML codebase. 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341134
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm