Nope. This isn't about telling where a person comes from at all, or
even whether thay have permission to view a template. That part is
already down pat.
There are situations where a hit to a template is something that
warrants not just a refusal to deliver the requested template, but a
security alert to the system admin. Part of the security alert is the
delivery of diagnostic info to the admin, in the form of storing a db
record loaded with everything in memory at the time, basically
(strictly speaking the admin is not given the data... they have to log
in and securely view it).
In theory, someone could hit that 'dumper' template out of the blue,
and run it. It cannot be permissioned since, by definition, it only
fires when an unpermissioned user hits something sensitive that they
shouldn't. If a malicious bot or a lucky guess caused a direct hit to
the template the response to the client side would be a 500 error
(delivered via cfheader once the alert was complete).
So that dumper code is there, unpermissioned and safe-looking, but I
want to throw this concept out and see if I've missed a hole in it.
here's a more complete version of the code I'm talking about:
<!---
collect the diag/tattler data
--->
<cfsavecontent variable="variables.dumpThis">
<cfloop
list="CFCATCH,ERROR,APPLICATION,ATTRIBUTES,CALLER,CGI,CLIENT,FORM,REQUEST,SESSION,THIS,THISTAG,URL,VARIABLES"
index="loopItem">
<cfif IsDefined("#loopItem#")>
<cfdump var="#Evaluate(loopItem)#" label="#loopItem#">
</cfif>
</cfloop>
</cfsavecontent>
<!---
Store the data collected above.
default user id kicks in if no user logged in
--->
<cf_storedump
User="#request.User#"
Class="TATTLE"
Title="Security Alert"
Data="#variables.dumpThis#">
<cfmail
to="#request.Email#"
from="#request.Email#"
server="#request.Server#"
subject="Security Alert"
type="HTML">
Something has triggered an alert.
</cfmail>
<cfheader statuscode="500" statustext="Server Error">
<cfabort>
--
--mattRobertson--
Janitor, MSB Web Systems
mysecretbase.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221742
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
