First thing is you will want o wrap all of your query variables with a cfqueryparam tag. I also wrap them with the XMLFormat() function as that will render strings non-executable. For example...
Select x,y,z >From tablename Where xx=<cfqueryparam cfsqltype="CF_SQL_Integer" value="#XMLFormat(variable.xxddrr)"> There are also other attributes to tighten it down further like if it is allowed to ne null, or a list, etc... The other big thing is to make sure your variables are scoped. This makes it so that you know exactly where it is coming from and prevents overriding from a source that s higher up in the order of operations. Local vars get the variables scope. Then ther is URL, form, application, session, etc... This will cover cross site scripting and SQL injection. ------------------------------------ Three Ravens Consulting Eric Roberts Owner/Developer [email protected] tel: 630-486-5255 fax: 630-310-8531 http://www.threeravensconsulting.com ------------------------------------ -----Original Message----- From: Jamie Bowers [mailto:[email protected]] Sent: Thursday, November 15, 2012 10:55 AM To: cf-talk Subject: Security Question(s) I haven't done Coldfusion since CF4, however recently have been tasked to look at a CF7MX appilication that has 3 security issues they are looking to fix. 1. Cross Site Scripting - I believe I have this one figured out using the Admin Pannel's "Enable global script protection" 2. Format String Injection 3. Parameter Based Buffer Overflow I have been able to find generalized information on the other two issues, but nothing as it relates to CF itself. Will the "Enable global script protection" fix these other two as well or should I be looking elsewhere? Everything I am finding has to do with SQL injection and not Format String Injection, and I'm finding nothing on Parameter Based Buffer Overflow. Any help anyone could provide would be great. Thanks, Jamie ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353183 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
