>As a community that promotes the use of CF as a scaleable, viable solution
>for web applications, we should all hail Brook for making an excellent
>point. Drawing attention to CF vulnerable sites is only killing our plight.
I can't say I agree wholeheartedly with this statement. The sooner these
issues are brought to light the sooner they can be addressed. I would much
rather bring the problem to light and have it fixed then sit back with my
fingers crossed hoping that the vulnerabilities aren't discovered. If
Phillip (the original poster) discovers this vulnerability then other people
can too. It seems to me that CF's reputation (and that of its users,
developers, and proponents) is better served by *fixing* any vulnerabilities
than by sweeping them under the rug, so to speak.
However, I don't mean to say that I agree with this vulnerability being
posted to the public forum in the manner that it was. Out of professional
courtesy, if nothing else, someone that discovers a vulnerability in
another's site/application should contact the affected party *privately*
first, thus giving said party a chance to address the issue. The implied
threat of a public announcement might help speed things along, however <g>.
Now, to switch topics, what exactly is this "SQL Server exposed URL
parameter hack"? This term doesn't ring any bells. Is this a CF specific
issue?
Regards,
Seth Petry-Johnson
Argo Enterprise and Associates
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
