Your are all talking about past stuff - which has already been documented as being insecure and as a result is the first thing you fix on a new machine. I doubt any URL data will be able to fire off an SP, unless it knew the name, username and password of the sp etc.....
I can all understand your points, but they are fairly self explanatory in that they have been documented as being dangers and have either got a patch already or a wise precaution such as not installing docs etc. oh, I also have a Trojan watcher on the machine..just in case. I heed your warnings, but I can safely say that my machine is at present 100% secure. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 22 January 2003 10:40 To: CF-Talk Subject: RE: Goodbye cruel world Quoting "Robertson-Ravo, Neil (RX)" <[EMAIL PROTECTED]>: > > I fail to see how it can be exploited? My AV software will capture the > bad things, my firewall will block ALL types of traffic coming into my > machine by default. All uncessary ports have been disbled from listening > and the only ones I have open are the ones I know I require. I do not see > how one unfiltered URL data in a CFML page can exploit the machine? What if the URL data causes some MS SQL Server stored procedure to be executed which does an HTTP request (outbound, so not filtered), and retreives a modified IRC client. The next malfomed URL data causes the IRC client to be executed, through MS SQL Server again, upon which the IRC client establishes a connection to some remote host (outbound, so not filtered) and reports back a 'ready to accept commands' message. Firewalls set to refuse inbound traffic on unknown ports actually provide little security. An even easier example; what if you didn't follow the recommended procedures and you are running an old CF version with the documentation installed? Gives you file system access through the cffile examples so you can upload whatever you want and then use cfexecute to run it. Would your firewall refuse that traffic? Statefull firewalls that monitor both in- and outbound traffic are a little better, they would stop the first example, but in the end security is an all out effort. You need to implement it at every level, not just at the gate. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
