g.. (though kind of covered in c..) _always_ either quote variables in
cfquery or val() them or url hacking can cause:
SELECT foo
FROM bar
WHERE id = #attributes.id#
to evaluate to:
SELECT foo
FROM bar
WHERE id = 1;DELETE FROM foo
and sql server 7 will run this (provided the user has permission)
> -----Original Message-----
> From: daved [mailto:[EMAIL PROTECTED]]
> Sent: 30 January 2001 17:57
> To: Fusebox
> Subject: Security Warning Update
>
>
> I know this security warning was posted back in May of 2000
> but I think it needs to be readdressed.
> After installing the "+.htr" patch on our NT4.0 server back
> in May, everything was good.However; in January 2001 we
> upgraded to Windows 2000 server and IIS5. At the time I
> wasn't thinking of going back an reviewing old patches. You'd
> assume these would be fixed in new releases or service packs.
> I was wrong and the +.htr problem still exists and when
> migrating your server to Windows2000, you'll need to reapply
> the patch. Everyone who has upgraded should check their site.
> I've noticed quite a few sites that still have this hole.
>
> Other things I've noticed and would like to comment on:
> a.. Don't supply usernames and passwords to databases (or
> anything) in your code because if your code does get exposed,
> these will be available to the world.
> b.. Don't rely on cfencrypt to secure your code because
> there are decrypt utilities available.
> c.. Don't allow for "free" input into your cfqueries,
> validate user input.
> d.. Check for referrer in action type forms. IE: I have a
> login.cfm page that posts to an authenticate.cfm page. Make
> sure that the authenticate.cfm page only takes input from
> your server and the login.cfm page. If you don't, people will
> be able to write their own login.cfm page on another page and
> post to your authenticate.cfm page.
> e.. Check that you have an IP address to send debug info to
> or someone can type ?mode=debug in the URL to pick up
> valuable info about your site.
> f.. Don't end your files with anything but cfm. I've
> noticed people ending their include files with things like
> .inc or .h. These will not get processed and a user who goes
> to it directly will see the code.
>
> Allaire has released some good stuff on this at:
> http://www.allaire.com/developer/securityzone/
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
