I agree with Isaac, but that is one of the bullet points I had as a "to-do" for the app before I quit. There are actually quite a few mild security issues on the list, but like I said, they decided to go live anyway rather than pay for someone to do the work. I even offered to do it or to bring someone up to speed... They had me do a little work on some things that really were unfinished, but they only paid me for 1/3 of the work I did. Now I can't get them to return my calls and it's time to see if they'll return my lawyer's calls instead. Sad.
--Ferg S. Isaac Dealey wrote: >>If you copy and paste the url, into another browser, and >>it keeps your >>session, that's bad... this means that if they send a link >>to a friend, or >>post it somewhere, anyone clicking on it would be able to >>get into their >>session (and possibly their account, if they are logged >>in), and be able to >>steal their address, possibly cc, and/or order stuff using >>their cc to their >>own address. This is why you shouldn't pass cfid/cftoken >>in url >>parameters... >> >> > >Well that's my preference yes... > >however... > >"steal their address / cc # etc, or buy stuff for themselves with >someone else's cc #" ... if I remember correctly not gonna happen with >the F&F app... I could be wrong, but it was my impression that the >shopping cart didn't work that way -- you add what you want, go to the >cart and it requests your info (or possibly your un/password) runs the >transaction and throws away your CC #. > >Simply having the cfid/cftoken in the url, while I don't like it isn't >necessarily a security risk. So that's why I don't understand that >being described as "vulnerable to cookie stealing/replay attacks"... I >generally only refer to something as being vulnerable to an "attack" >if it allows someone to harm someone else in some way -- if it doesn't >do that, then no amount of cfid/cftoken pairs in the url could be >considered a "vulnerability". > >Granted, it's been a while since I worked on the F&F app and offhand, >I can't say with certainty that it's not vulnerable... I just know >that the cfid/cftoken in the url isn't proof of that. > > >s. isaac dealey 954.522.6080 >new epoch : isn't it time for a change? > >add features without fixtures with >the onTap open source framework > >http://www.fusiontap.com >http://coldfusion.sys-con.com/author/4806Dealey.htm > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:215629 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
