OK good points Raymond and Dave, although I'm not convinced that somebody
being able to view my source code would really make it less secure. Is that
hopelessly naive? I can answer that myself I guess: why take that risk,
right?
I can't help thinking that if I should be prepared for somebody with FTP
access to break my site's security, then somebody else to correctly guess
the name of any file, then happen to spot a security weakness in the code of
that file rather than just by trying to break the app thru the browser... If
I should be prepared for that contingency then I'm obviously taking security
way too casually. Can anybody recommend a checklist of best practices for
adequately securing your app?
----- Original Message -----
From: "Dave Watts" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Tuesday, April 01, 2003 8:14 AM
Subject: RE: Fusebox circuits (was: CFCs - get'ers Vs. return object
> > > However, you should only put files in a web-accessible
> > > directory if you intend for people to be able to fetch
> > > or run them directly within their browser by entering
> > > the appropriate URL. If you have files that aren't
> > > intended to be used that way, they shouldn't be in a
> > > web-accessible directory. If your shared host can't
> > > provide the minimal functionality required to segregate
> > > web content from non-web content, you should find another
> > > shared host.
> >
> > I simply prefix any file that shouldn't be run directly with
> > dsp_ or act_ or similar, and add
> >
> > <cfif reFind("/..._", cgi.script_name)>
> > <cflocation url="">
> > </cfif>
> >
> > to application.cfm . Tell me why that's less secure.
>
> Because you have no guarantee that CF will always be working on your
server,
> or that no one will discover a new source code browsing vulnerability, or
> that no one will accidentally delete your Application.cfm file. I imagine
I
> could think of more reasons, if I cared to.
>
> It's been my experience that people tend to think of something as being
> secure if it works as expected, at the same time that everything else
works
> as expected. A security-conscious person, however, should expect that
> everything else won't always work as expected.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> voice: (202) 797-5496
> fax: (202) 797-5444
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
