> > And using the cfparam tags will help stop these type of attacks? > > They can, but more importantly you have to either: > - not use values from the browser directly within functions, etc > - or, identify the range of acceptable values for these, and filter > accordingly. > > > Is there a good cold fusion security premier online about these > kinds of things somewhere? > > I'd start with the CF 9 Lockdown Guide - while it doesn't really talk > about secure programming specifically, it does give you an idea of > the > range and functionality of vulnerabilities. That is really well > written, and I think every CF developer and server administrator > should read it. > > Beyond that, Jason Dean's site, http://www.12robots.com/, has a lot > of > security info that's specific to CF. > > There's also the OWASP CF resources page: > > https://www.owasp.org/index.php/ColdFusion_Security_Resources > > Finally, though, I would recommend that you not limit yourself to > CF-specific resources. There are lots of general resources out there, > and it's very easy to draw the conclusions you need from them. > > > By the way Figleaf is where I took my ColdFusion training way back > when CF3 was the latest and greatest. > > That was a long time ago! > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite.
Somewhat related, how do I determine that any hot-fix or security patch I may download and install is indeed installed? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353251 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
