>First thing is you will want o wrap all of your query variables with a >cfqueryparam tag. I also wrap them with the XMLFormat() function as that >will render strings non-executable. For example... > >Select x,y,z >From tablename >Where xx=<cfqueryparam cfsqltype="CF_SQL_Integer" >value="#XMLFormat(variable.xxddrr)"> > >There are also other attributes to tighten it down further like if it is >allowed to ne null, or a list, etc... > >The other big thing is to make sure your variables are scoped. This makes >it so that you know exactly where it is coming from and prevents overriding >from a source that s higher up in the order of operations. Local vars get >the variables scope. Then ther is URL, form, application, session, etc... > > >This will cover cross site scripting and SQL injection. > >------------------------------------ >Three Ravens Consulting >Eric Roberts >Owner/Developer >[email protected] >tel: 630-486-5255 >fax: 630-310-8531 >http://www.threeravensconsulting.com >------------------------------------ > >I haven't done Coldfusion since CF4, however recently have been tasked to >look at a CF7MX appilication that has 3 security issues they are looking to >fix. > >1. Cross Site Scripting - I believe I have this one figured out using the >Admin Pannel's "Enable global script protection" >2. Format String Injection >3. Parameter Based Buffer Overflow > >I have been able to find generalized information on the other two issues, >but nothing as it relates to CF itself. Will the "Enable global script >protection" fix these other two as well or should I be looking elsewhere? >Everything I am finding has to do with SQL injection and not Format String >Injection, and I'm finding nothing on Parameter Based Buffer Overflow. > >Any help anyone could provide would be great. > >Thanks, >Jamie
Thanks. I know to use the cfparam and cfqueryparam tags to prevent sql injection and xss, will this also prevent these other two errors I listed? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353197 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
