Security Warning Update

Tue, 30 Jan 2001 10:28:19 -0800 

I know this security warning was posted back in May of 2000 but I think it needs to be 
readdressed.
After installing the "+.htr" patch on our NT4.0 server back in May, everything was 
good.However; in January 2001 we upgraded to Windows 2000 server and IIS5. At the time 
I wasn't thinking of going back an reviewing old patches. You'd assume these would be 
fixed in new releases or service packs. I was wrong and the +.htr problem still exists 
and when migrating your server to Windows2000, you'll need to reapply the patch. 
Everyone who has upgraded should check their site. I've noticed quite a few sites that 
still have this hole.

Other things I've noticed and would like to comment on:
  a.. Don't supply usernames and passwords to databases (or anything) in your code 
because if your code does get exposed, these will be available to the world.
  b.. Don't rely on cfencrypt to secure your code because there are decrypt utilities 
available.
  c.. Don't allow for "free" input into your cfqueries, validate user input.
  d.. Check for referrer in action type forms. IE: I have a login.cfm page that posts 
to an authenticate.cfm page. Make sure that the authenticate.cfm page only takes input 
from your server and the login.cfm page. If you don't, people will be able to write 
their own login.cfm page on another page and post to your authenticate.cfm page.
  e.. Check that you have an IP address to send debug info to or someone can type 
?mode=debug in the URL to pick up valuable info about your site.
  f.. Don't end your files with anything but cfm. I've noticed people ending their 
include files with things like .inc or .h. These will not get processed and a user who 
goes to it directly will see the code.

Allaire has released some good stuff on this at:
http://www.allaire.com/developer/securityzone/



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to