On Mon, Nov 19, 2012 at 1:48 PM, Jamie Bowers <jamiembow...@netscape.net>wrote:
> Somewhat related, how do I determine that any hot-fix or security patch I > may download and install is indeed installed? > Jamie, one thing I'd like to point out is that if your are using CF7 then you have unpatched vulnerabilities on the server, CF7 has been End of Life for a while and has not received any security updates in a couple years - so even if your code is secured your server platform is likely not. You will also need to make sure your JVM is patched, which again might be a challenge since CF7 doesn't run on Java 1.6 (without appropriate JVM patches an attacker can simply send a magic number to your server and cause it to hang, among other possibilities). To answer your question here about how do you know what patches are installed: <plug>I created a service http://hackmycf.com specifically for that reason - you can scan your domain for free but we also offer paid services that can find more details.</plug> You can also try using the ColdFusion administrator to see what the update level is but that is not a great solution, see http://www.carehart.org/blog/client/index.cfm/2012/6/18/what_hotfixes_have_been_applied for more info. Finally I also wanted to point out that XmlFormat is not a stopgap for XSS either, for example if you have this: <cfoutput> <script> var id = #XmlFormat(url.id)#; </script> </cfoutput> You are not at all protected from XSS - so XSS protection really depends on where the variable is output, it could be in a tag, javascript, css, a url, a tag attribute, all have their own encoding rules that must be applied to properly prevent the attack. Hope that helps. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353266 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm