JavaScript could cause trouble if what someone submits appears in the site to everyone, a forum maybe. You could do some huge loops that go on for ages, or pop ups that don't stop popping.
Ade -----Original Message----- From: Cornillon, Matthieu [mailto:[EMAIL PROTECTED]] Sent: 26 June 2002 21:09 To: CF-Talk Subject: security: attacks through submission of script Hi. I am evaluating the security of my application as regards malicious attack via manipulation of the Cookie, URL, or Form variables. I know about the business with submission of unauthorized SQL statements, and have already screened for it. But then there is the issue of unauthorized script insertion. For example, if a form asks for a value (FormVar) and the action page displays that value (<CFOUTPUT>#Form.FormVar#</CFOUTPUT>), the educated user can submit things other than those intended, causing interesting results. If they enter <font color="red">Check this out!</font>, the next page will display Check this out! in red letters. I have also successfully passed JavaScript like this. Going on my basic (and hopefully correct) assumption that JavaScript is set up so that it cannot (a) harm the user's machine or (b) harm the server, I am not going to worry about this, since the worst a user will do is pass themselves a JavaScript routine that produces an error. That is fine for client-side scripting, but I am worried about server-side scripting. Submission of ColdFusion code through these variables shouldn't matter, since it won't appear in the template until after ColdFusion processing has occurred, meaning that the inserted code itself will not be processed. Are there any other scripting languages, though, that would be evaluated on the server side AFTER the CFAS processes the template? Thanks, Matthieu ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
