I'm not sure on PHP, but CF has no context of the business
requirements for the data, so how could it validate it? I'm more
specifically concerned about the querystring variable, as this could
be just about anything....
This is a common vulnerability, but it does require some special
circumstances for it to work correctly....
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or that
we are to stand by the president right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the American
public."
-- Theodore Roosevelt
On Apr 25, 2008, at 3:33 PM, Mike Staver wrote:
I want to make sure I'm understanding this right - according to
wikipedia,
you should URL encode cflocation values when they come from variables?
More specifically, a variable like cgi.HTTP_HOST? It's odd to me that
ColdFusion doesn't automatically verify something like that first.
From
the article, it sounds like PHP already does some validation.
This code is insecure and subject to HTTP Response Splitting. You
need to validate the various CGI variables before responding with a
302 redirect. Or, preferably, you use DNS to resolve both URLs to
the
same server.
http://en.wikipedia.org/wiki/HTTP_response_splitting
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Apr 25, 2008, at 9:53 AM, Ajas Mohammed wrote:
Hi,
I have a client who has url say www.xyz.com. They want a new url
www.abc.com
so that when user enters www.xyz.com, the user should see
www.abc.com in his address bar of browser. Basically an alias/
redirection with address bar showing the new url. I could have done
redirection by dns names/url redirection at website level but
problem is I have a subfolder application i.e. www.xyz.com/subapp.
Now if I do dns/url redirection, and user tries to access subfolder
application with this url, www.xyz.com/subapp/home.cfm, it takes the
user automatically to www.abc.com/home.cfm i.e. the main application
without the subfolder application, and I dont want that. It should
take user to www.abc.com/subfolder/home.cfm.
So to avoid this redirection at the website level, I added this code
in Application.cfm
Code:
<!-- Relocate if not a secure connection -->
<cfif cgi.SERVER_PORT is "80" and CGI.SERVER_PORT_SECURE is "0">
<!---replace xyz with abc --->
<cfset x = "https://
#Replace(cgi.HTTP_HOST,"xyz","abc")##cgi.PATH_INFO#">
<cfif cgi.query_string is "">
<cfset y = "">
<cfelse>
<cfset y = "?#cgi.query_string#">
</cfif>
<cflocation url="#x##y#"><cfabort>
<cfelseif cgi.HTTP_HOST contains "xyz">
<!---replace xyz with abc--->
<cfset x = "https://
#Replace(cgi.HTTP_HOST,"xyz","abc")##cgi.PATH_INFO#">
<cfif cgi.query_string is "">
<cfset y = "">
<cfelse>
<cfset y = "?#cgi.query_string#">
</cfif>
<cflocation url="#x##y#"><cfabort>
</cfif>
My question to you guys is that
1. is this a good practice ?
2. do you see any security issues?
3. any performance issues?
4. does it ring any bells?
5. anything obvious iam missing here or do you have a better
solution?
Thanks,
--
<Ajas Mohammed />
http://ajashadi.blogspot.com
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high
intention, sincere effort, intelligent direction and skillful
execution; it represents the wise choice of many alternatives.
"Live as if you were to die tomorrow. Learn as if you were to live
forever."
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
