This is kind of ironic and not really on topic, but just today, one of my co-workers was browsing a financial planning web site (running Tomcat) and accidentally put an extra slash in the wrong place. Like this http://www.site.com/\content/page.jsp. All of the source code was displayed...
-- jon mailto:[EMAIL PROTECTED] Monday, March 31, 2003, 3:27:56 PM, you wrote: MW> OK good points Raymond and Dave, although I'm not convinced that somebody MW> being able to view my source code would really make it less secure. Is that MW> hopelessly naive? I can answer that myself I guess: why take that risk, MW> right? MW> I can't help thinking that if I should be prepared for somebody with FTP MW> access to break my site's security, then somebody else to correctly guess MW> the name of any file, then happen to spot a security weakness in the code of MW> that file rather than just by trying to break the app thru the browser... If MW> I should be prepared for that contingency then I'm obviously taking security MW> way too casually. Can anybody recommend a checklist of best practices for MW> adequately securing your app? MW> ----- Original Message ----- MW> From: "Dave Watts" <[EMAIL PROTECTED]> MW> To: "CF-Talk" <[EMAIL PROTECTED]> MW> Sent: Tuesday, April 01, 2003 8:14 AM MW> Subject: RE: Fusebox circuits (was: CFCs - get'ers Vs. return object >> > > However, you should only put files in a web-accessible >> > > directory if you intend for people to be able to fetch >> > > or run them directly within their browser by entering >> > > the appropriate URL. If you have files that aren't >> > > intended to be used that way, they shouldn't be in a >> > > web-accessible directory. If your shared host can't >> > > provide the minimal functionality required to segregate >> > > web content from non-web content, you should find another >> > > shared host. >> > >> > I simply prefix any file that shouldn't be run directly with >> > dsp_ or act_ or similar, and add >> > >> > <cfif reFind("/..._", cgi.script_name)> >> > <cflocation url=""> >> > </cfif> >> > >> > to application.cfm . Tell me why that's less secure. >> >> Because you have no guarantee that CF will always be working on your MW> server, >> or that no one will discover a new source code browsing vulnerability, or >> that no one will accidentally delete your Application.cfm file. I imagine MW> I >> could think of more reasons, if I cared to. >> >> It's been my experience that people tend to think of something as being >> secure if it works as expected, at the same time that everything else MW> works >> as expected. A security-conscious person, however, should expect that >> everything else won't always work as expected. >> >> Dave Watts, CTO, Fig Leaf Software >> http://www.figleaf.com/ >> voice: (202) 797-5496 >> fax: (202) 797-5444 >> >> MW> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
