RE: Session variables security
No I haven't used it, and I am in a closed environment where I don't need to worry about these things to much. However, I brought it up because some people find that it would cost them more to try to match the features, than to actually buy it. Regards, Andrew Scott http://www.andyscott.id.au/ -Original Message- From: Rob Voyle [mailto:robvo...@voyle.com] Sent: Wednesday, 26 January 2011 5:09 PM To: Andrew Scott; cf-talk@houseoffusion.com Subject: Re: Session variables security Hi Andrew have you used this firewall or others that are out there? I find I have a great hesitancy about proprietry add ons, as an old engineer I like/d to work from first principles. I have had more problems and time wasted from firewalls and antivirus programs than they are supposed to prevent. Once I get a basic process established it is not much of a problem to add it to the pages I am using. Rob ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341321 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Session variables security
Hi Folks I have several large forms connected to mySql tables. I use cfqueryparam when querying and inserting data from the form after it has been validated for content that I need (no blank fields etc.) I created the following validation to check for scripts etc being injected. Is there anything else I should check for that would indicate someone was hacking the page. Thanks Rob cfloop index=checkVariables list=#user#, #upDate#, #parts#, #workshopCode1#, #workshopCode2#, #workshopCode3#, #programCode# delimiters = , cfif REFind('[~^*+={}|\\/\[\]]', checkVariables) cfset badCharacter=yes cfset errorData=h3You have an illegal character ~^*+={}|\/ in one of the fields/h3 /cfif cfif REFindNoCase('onClick|onDblClick|onKeyDown|onKeyPress|onKeyUp|onMouseDo wn|onMouseOut|onMouseUp|onMouseOver| onBlur|onChange|onFocus|onSelect', checkVariables) cfset badEvent=yes cfset errorData=h3You have an illegal event in one of the fields/h3 /cfif cfif REFindNoCase('script|object|applet|embed|form|layer|frame|frameset|param|m eta|.exe|.bat', checkVariables) cfset badAction=yes cfset errorData=h3You have an illegal action script, object, applet, embed, form, layer, frame in one of the fields/h3 /cfif cfif REFindNoCase('append|delete|char|declare|cast|execute|sp_sqlExecute|select|in sert|update|drop|alter', checkVariables) cfset badSql=yes cfset errorData=h3You have an illegal database action append, delete, declare, cast, execute, sp_sqlExecute, select, insert, update, drop, alter in one of the fields/h3 /cfif /cfloop ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341240 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Session variables security
I am wondering if it would be cheaper for you to take a look at http://www.petefreitag.com/item/728.cfm it might cost you more trying to protect in time coding and maintenance. Regards, Andrew Scott http://www.andyscott.id.au/ -Original Message- From: Rob Voyle [mailto:robvo...@voyle.com] Sent: Wednesday, 26 January 2011 11:53 AM To: cf-talk Subject: Re: Session variables security Hi Folks I have several large forms connected to mySql tables. I use cfqueryparam when querying and inserting data from the form after it has been validated for content that I need (no blank fields etc.) I created the following validation to check for scripts etc being injected. Is there anything else I should check for that would indicate someone was hacking the page. Thanks Rob ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341241 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Session variables security
Hi, When the user logs in, I save their username to the session scope. Would i need to re-validate that username at the top of every page that uses it in a database query? I previously thought this was not necessary but if it is possible for someone to send malicious sql injection then surely it is also possible (even though very unlikely) for someone to send code that changes the username stored in the session to some malicious sql injection. thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341131 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Session variables security
On 1/24/2011 8:57 AM, Richard White wrote: Hi, When the user logs in, I save their username to the session scope. Would i need to re-validate that username at the top of every page that uses it in a database query? I previously thought this was not necessary but if it is possible for someone to send malicious sql injection then surely it is also possible (even though very unlikely) for someone to send code that changes the username stored in the session to some malicious sql injection. thanks Only if there is a place in your code for them to do so. If you have a vulnerable piece of code that can give unexpected and undesired results because of malicious inputs form the client, then you have a problem. But it is not an insecurity in the session variables is is an insecurity in your application and how it is setting those variables. There is no way for a user to send random code at a CF server and have it do anything to session variables unless it is happening somewhere in the CFML codebase. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341133 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Session variables security
OK thanks Ian On 1/24/2011 8:57 AM, Richard White wrote: Only if there is a place in your code for them to do so. If you have a vulnerable piece of code that can give unexpected and undesired results because of malicious inputs form the client, then you have a problem. But it is not an insecurity in the session variables is is an insecurity in your application and how it is setting those variables. There is no way for a user to send random code at a CF server and have it do anything to session variables unless it is happening somewhere in the CFML codebase. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341134 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm