Well, if your sensitive data is in a cfsavecontent variable that gets stored to your DB, I'm not sure I see why that is insecure. The CF server won't let the user see that, so even if a miscreant manages to find your security alert page, all they will see is the content you let them see. But if you're really worried about it, couldn't you send the security alert page a memory variable or something? For example, say you have a cfif section that deals with security. The line before the call to your security page could set a memory variable, then your security page checks that variable to make sure things are kosher before running. I guess it would have to be a structure or something, because all of your pages could be writing to this space at the same time, which would confuse your security alert page.
> -----Original Message----- > From: Matt Robertson [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 20, 2005 3:12 PM > To: CF-Talk > Subject: Security question... > > I'm putting the finishing touches on a security app and I > have a dilemma: > > My security system checks for proper permissions on every template, > whether that template is a top-level template (something called via a > url) or a template called as a custom tag or include. The security > check is embedded in each template and is not something found in > /Application.cfm. The idea being that if somehow someone gets wind of > the file name via a directory listing, they can run the file and this > will trigger a security alert. > > The trouble is that security alert. Thats one template I can't > protect, since by definition its only going to be called by > unpermissioned or improperly permissioned visitors. The reason its > trouble is that I include a memory dump of several scopes, which go > into a database for admin review. The dump is saved like so: > > <cfsavecontent variable="variables.foo"> > <cfloop > list="#variables.scopelist#" > index="loopItem"> > <cfif IsDefined("#loopItem#")> > <cfdump > var="#Evaluate(loopItem)#" > label="#loopItem#"> > </cfif> > </cfloop> > </cfsavecontent> > <cfquery> > ....save variables.foo to db... > </cfquery> > > and is followed by a generic email message to the sys admin, > with no details. > > Finally to my question: How can I make this process more secure? > Don't do it at all? I want the admin to have a picture of whats going > on, but not if I have created a potential exploit with a tool meant to > be a buffer against same. > > -- > --mattRobertson-- > Janitor, MSB Web Systems > mysecretbase.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221741 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
