I think its a great idea! I've toyed with doing such a thing, but never got
off my duff and wrote it.
I was thinking of something where you'd have a db table storing clear
fuseaction names, and hashed names. Tie it to another app that would, on
nightly scheduled basis, generate new hashes, and go through every CF
template, doing a find/replace for the old hashes with the new hashes. This
way your window of vulnerability would be cut down to one day, were a
fuseaction to be compromised.
I think that with Fusebox, these types of security measures can be made very
easy to implement, seeing how every client request passes through index.cfm.
Something like this could be cleaned up into a very tight security model,
and included in a future Fusebox book, I think...
Alan McCollough
Web Programmer
Allaire Certified ColdFusion Developer
Alaska Native Medical Center
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, November 29, 2000 10:19 AM
> To: Fusebox
> Subject: Encrypting FuseActions
>
> A co-worker and I came up with this possible tool to conceal the names of
> FuseActions, for even heightened security for the paranoid. It consists of
>
> a custom tag to create a structure containing FuseActions and their
> encrypted values, and a line to decrypt the passed FuseAction.
>
> I haven't tested this code yet, we just whipped it up real quick and I
> wanted to see what y'all thought of the idea - any merit?
>
> <!--- Source of CF_SETFUSEACTIONS: --->
>
> <CFPARAM NAME="Attributes.FuseActions" DEFAULT="">
> <CFPARAM NAME="Attributes.Key" DEFAULT="KermitTheFrog">
> <CFPARAM NAME="Attributes.Return" DEFAULT="S_FuseActions">
>
> <CFSET S_FuseActions = StructNew()>
>
> <CFLOOP LIST="#Attributes.FuseActions#" INDEX="FuseAction">
> <CFSET SetVariable("S_FuseActions.#FuseAction#", Encrypt(FuseAction,
>
> Attributes.Key))>
> </CFLOOP>
>
> <CFSET SetVariable("Caller.#Attributes.Return#", S_FuseActions)>
>
> <!--- In the calling template: --->
>
> <CF_SETFUSEACTIONS FUSEACTIONS="Login,Logout,Display" KEY="MyKey">
>
> <CFOUTPUT><A
> HREF="default.cfm?F=#S_FuseActions.Login#">Login</A></CFOUTPUT>
>
> <!--- At the top of the FuseBox (index.cfm) or app_globals.cfm : --->
>
> <CFSET Attributes.FuseAction = Decrypt(Attributes.F,
> Application.FuseActionKey)>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
