Yes there are resources online regarding this type of thing, did you check the links I sent you in my previous reply.
On Fri, Nov 16, 2012 at 4:50 PM, Jamie Bowers <[email protected]>wrote: > > > > I haven't done Coldfusion since CF4, however recently have been > > tasked to look at a CF7MX appilication that has 3 security > > > issues they are looking to fix. > > > > > > 1. Cross Site Scripting - I believe I have this one figured out > > using the Admin Pannel's "Enable global script protection" > > > 2. Format String Injection > > > 3. Parameter Based Buffer Overflow > > > > > > I have been able to find generalized information on the other two > > issues, but nothing as it relates to CF itself. Will the "Enable > > > global script protection" fix these other two as well or should I be > > looking elsewhere? Everything I am finding has to do with SQL > > > injection and not Format String Injection, and I'm finding nothing > > on Parameter Based Buffer Overflow. > > > > First, no, enabling global script protection will not fix all three > > issues. In fact, it's not guaranteed to fix XSS issues; although it > > may block many XSS attacks, it doesn't prevent XSS attacks generally, > > it just filters data for known XSS attack strings. > > > > XSS attacks occur when an attacker can send client-side executable > > code (typically JavaScript, but it could be anything else that an > > HTML > > page can tell a local computer to do) to your server, and your server > > stores that and later delivers it to other users. The attack isn't > > really targeting the server specifically, but rather those other > > users. > > > > The other two things are attacks on your server, and are basically > > similar to SQL injection: the attacker sends a value that your code > > takes and passes directly to a function. XSS filtering has nothing to > > do with them. For example, let's say you have a line of code like > > this: > > > > <cfinclude template="#form.nextpage#.cfm"> > > > > An attacker could inject a value there, because you're taking data > > directly from the browser and using it to do something. Now, that > > specific attack wouldn't be very helpful to an attacker in most cases, > > > > but it shows you what I mean, I guess. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > And using the cfparam tags will help stop these type of attacks? > > Is there a good cold fusion security premier online about these kinds of > things somewhere? > > By the way Figleaf is where I took my ColdFusion training way back when > CF3 was the latest and greatest. > > Jamie > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353210 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
