Josh,
Do keep us all posted as to the outcome of all this. There are those of
us who will, no doubt, want to jump right on any solutions you find.
If you need a list to keep up with this, let me know and I'll create a
temporary (or permanent if needed) list to accommodate.
Take care...
Lee Fuller
Chief Technical Officer
PrimeDNA Corporation / AAA Web Hosting Corporation
"We ARE the net."
http://www.aaawebhosting.com
> -----Original Message-----
> From: Josh R [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 10, 2001 10:08 PM
> To: CF-Talk
> Subject: RE: URL Hacks - Solution
>
>
>
> >From: "Paris Lundis" <[EMAIL PROTECTED]>
> >Subject: RE: URL Hacks - Solution
> >I think the script is a good first attempt and seems to
> address the URL
> >hack threads previously that have gone around.
>
> Thank you. My feelings exactly. As usual, Dave Watts was
> right when he said
> this script doesn't cover enough attacks. However, it was
> intended to cover
> the attack that started this thread. I'll be happy to expand
> it's abilities
> if I can get some help.
>
> >so programatically (SQL wise) what else might one post in
> the string to
> >pickup further data???... May the SQL gods speak...
>
> The fun part about dealing with hack attacks on a public
> forum like this is
> that no one wants to dish any details, which is a good thing,
> but it does
> make projects like this difficult.
>
> >I think if we all chip in with some specifics this program could get
> >furthered and cover perhaps other known hack arounds...
>
> If anyone has any other info on database hacks that they'd
> like to help
> defend against, please contact me off list. The more I know
> about, the
> better this script can be.
>
> If you have just general comments, please post them here of
> course. Maybe
> your thought will get someone thinking.
>
> Thanks again, Paris for the good words and push to continue.
>
> >From: "Bruce, Rodney" <[EMAIL PROTECTED]>
> >Subject: RE: URL Hacks - Solution
> >URL hacks I think are easier to handle than form.Variables.
>
> As far as I'm concerned, variables are variables. These
> attacks require
> certain language context no matter if they come from urls,
> forms, etc., so
> filtering out the key phrase(s) the right way *should* repel them.
>
> >But I like the
> >idea of adding the notification by email when an attempted hack is
> >tried
> >and
> >then kicking them off site.
>
> Thanks, Bruce. That's the real meat of my security concepts.
> If anything
> unwanted is going on, I want to know about it and get rid of
> them. I never
> understood why we throw a friendly error message to someone
> attacking our
> system.
>
> But that's just me.
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
