I'm putting the finishing touches on a security app and I have a dilemma:
My security system checks for proper permissions on every template,
whether that template is a top-level template (something called via a
url) or a template called as a custom tag or include. The security
check is embedded in each template and is not something found in
/Application.cfm. The idea being that if somehow someone gets wind of
the file name via a directory listing, they can run the file and this
will trigger a security alert.
The trouble is that security alert. Thats one template I can't
protect, since by definition its only going to be called by
unpermissioned or improperly permissioned visitors. The reason its
trouble is that I include a memory dump of several scopes, which go
into a database for admin review. The dump is saved like so:
<cfsavecontent variable="variables.foo">
<cfloop
list="#variables.scopelist#"
index="loopItem">
<cfif IsDefined("#loopItem#")>
<cfdump
var="#Evaluate(loopItem)#"
label="#loopItem#">
</cfif>
</cfloop>
</cfsavecontent>
<cfquery>
....save variables.foo to db...
</cfquery>
and is followed by a generic email message to the sys admin, with no details.
Finally to my question: How can I make this process more secure?
Don't do it at all? I want the admin to have a picture of whats going
on, but not if I have created a potential exploit with a tool meant to
be a buffer against same.
--
--mattRobertson--
Janitor, MSB Web Systems
mysecretbase.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Find out how CFTicket can increase your company's customer support
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221739
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
