Clarke,
Sounds like you have a partially complete authorization model. What
you might be missing is authorization to individual data elements. So
when the user attempts to edit a user, does the system verify that he
not only has permission to edit a user, but permission to edit *this
specific* user? The same is true for deletions. This attack pattern
is commonly called horizontal privilege escalation and it is an area
where few apps make good authorization decisions. So you'll
definitely want to check it out.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"[T]he people can always be brought to the bidding of the leaders.
This is easy. All you have to do is to tell them they are being
attacked, and denounce the pacifists for lack of patriotism and
exposing the country to danger. It works the same in every country."
--Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials
On Jul 21, 2008, at 4:06 PM, Clarke Bishop wrote:
Thanks all for your suggestions!
Cameron, you mentioned sessions will be available in both your CFM
pages and
CFCs as long as they share a common Application.cfc file. So, you'd
put the
CFC in the same directory as the CFM?
And, if I did that, the request for the CFC would still cause an
onRequestStart event in Application.cfc? Right now, my onRequestStart
function checks to see if the user is logged in and has the correct
permissions. If not, they get redirected to a login page. So, this
would
work with a CFC call too?
I'm also wondering what happens when the session expires. The user
opens the
page then goes to lunch. They come back and try to edit or delete a
user,
but the session has expired. I guess I could set a really short
session
timeout to see what happens. But, is there a better way to test
something
like this?
Thanks again to everyone for your help!
Clarke
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cameron
Childress
Sent: Monday, July 21, 2008 11:01 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Securing CFCs
This is actually one of the biggest security problems on the
internet right
now, unprotected web services, remoting services, AJAX services.
You can actually solve this a number of different ways. You might
check out
the "Securing Web Services" section in the docs first:
http://livedocs.adobe.com/coldfusion/8/htmldocs/webservices_22.html
There is also a link on that page to "Securing Applications":
http://livedocs.adobe.com/coldfusion/8/htmldocs/appSecurity_01.html
Lastly, I would say that it's good to remember that any sessions you
create
on a CFM page should also be accessible in your CFCs, as long as
they share
a common Application.cfc file. This is a great way to enforce a
common
security model across CFM and CFC code...
-Cameron
On Mon, Jul 21, 2008 at 10:46 AM, Clarke Bishop <[EMAIL PROTECTED]
>
wrote:
I have one remaining problem to solve in my adventure with CF/Ajax.
The CFCs have to have access="remote".
But, this means anyone can access the methods. What I built is a
master/detail, CRUD thing for administering users. So, I obviously
don't want some unauthorized person deleting my users or adding new
ones.
Normally, I've used access="public" before which wouldn't let an
outside user get to the methods. But, what's the best way to give
access to my valid CFM pages with Ajax and prevent access by bad
guys?
Thanks for any ideas!
Clarke
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
--
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
