> Wow. I'm impressed you've found the hole and a patch so quickly. > Maybe you should go work for Microsoft..... They could use the help. I know my code inside and out and if there's a hole, I can logic it out to the exact issue. MS has a LOT more code and trying to logic a way though that tangle is worth an aneurism.
> Please don't think I was complaining, BTW. I was just surprised as > heck (and more than a little amused that they used your account). You and me both. > Considering this is the first time I've seen actual, literal Spam (as > opposed to an individual out touting a product manually) I've chosen > to be impressed with the determination it must have taken to get > around your safeguards. Of course, there is one problem with the > element of surprise -- if you don't make it count the first time, it's > pretty useless. :-) It was something I should have seen as a security hole if I stopped for a second to look at it. Basically, I was using client variables to deal with signin and the like. I found that CFMX basically creates long term memory structures for all client vars which means a site which is heavily trafficked by people and bots will start running up the ram really fast. As each bot instance gets its own memory structure that does not time out for a chunk of time (how long is a mystery as it is not tied to session timeout that I can see), you get a pseudo memory leak. I mentioned this on Blog of Fusion a while back. As a fast fix, I moved the client vars to cookie based storage and put in some special code to prevent most bots from getting client variables. Problem is, cookie based client vars shows what your storing and someone can hack the cookie. This is what happened and someone hack my userid and posted mail that way. I've removed the client vars and moved over to session with most bots getting a quarter second session storage. Either way, all that got through was a spam subject and no real body content due to other parts of the list processor. I'll be rewriting part of that, part of the login, some user interface and more tonight. Sleep is for the weak! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:5:209692 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
