> I've been reading this thread since the beginning and came up
> with a pretty comfortable solution. I call it cf_antihack. It's
> a blanket script with a pretty quick run time. I haven't placed
> it on the Developers Exchange yet, but I might.
>
> I am offering it to you guys first so I can get some input on it.
>
> You can get the code at my site at http://www.rubak.com/cf-codes.cfm
>
> Don't forget to give me some feedback. If people like this
> solution, I plan to increase it's reach to cover other security
> issues.
>
> Disclaimer: I am by no means a security expert. I just came
> up with (what I think is) a good idea.
I'm not a security expert either, but you did ask for feedback, so here
goes.
The problem with your tag is that it only defends against a very small set
of specific malicious attacks. However, in reality an attacker is usually
not interested in purely destructive attacks (DROP TABLE, etc) but rather
wants to get access to things that he shouldn't be able to access. For
example, the attacker might want to obtain credit card numbers, or might
want to install a rootkit on your server, or might simply want a location to
stash files. Those sorts of attacks through strings sent to the database are
still possible with your tag.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
