I also prefer to keep my usernames and passwords in the CF Admin. If they
can get to your server to run queries, then they can find the code
(typically application.cfm) where the passwords are stored. I think it is
much more difficult to gain access to the server and run queries then it
would be to use a hack like +.htr and find a username/password and setup an
ODBC connection to the database server. I'd also suggest everyone use some
type of firewall and close off port 1433 or whatever their database is
running on. I don't think the world needs access to that port and at least
if they get the username and password, they wont be able to connect
directly.
I think this security whole and others are quite serious. We all have
clients and our clients expect us to be as professional and thorough in our
coding. There is a problem when I can go to a site and within 5mins (I'm not
even a hacker and the site I'm referring to was no Mom&Pop) have complete
access to the sites database and all of those poor souls that have their
information on record there. As part of the Cold Fusion/Web Community, I
think we all have a responsibility to keep the information we manage as
secure as possible and to help those who are unaware of the security issues
of their site. I'm no zealot but I think everyone should go to 5 URL's they
know that use <CF> and try the +.htr hack. I know its not the only hack but
it's a start. Skip the "large" sites, just go to your local ones. Those in
your city or town. If you can see code, then you should notify the
tech-support for that site. This will only strengthen the CF Community and
help retain the Professionalism of our trade.
Cheers!
----- Original Message -----
From: "Ken Beard" <[EMAIL PROTECTED]>
To: "Fusebox" <[EMAIL PROTECTED]>
Sent: Wednesday, January 31, 2001 9:30 AM
Subject: RE: Security Warning Update
> I prefer to pass the db username/password on the url
> in plain text format with every page request.
>
> --- "McCollough, Alan" <[EMAIL PROTECTED]> wrote:
> > I don't explicitly set the db username/password at
> > the CFQUERY; instead, I
> > set it purely at the CF Admin page.
> >
> > Ya know, I'm beginning to think everything is a
> > security risk; its just a
> > question of how much of a risk do you wanna accept.
> >
> > Alan McCollough
> > Web Programmer
> > Allaire Certified ColdFusion Developer
> > Alaska Native Medical Center
> >
> > > -----Original Message-----
> > > From: Bud [SMTP:[EMAIL PROTECTED]]
> > > Sent: Tuesday, January 30, 2001 6:21 PM
> > > To: Fusebox
> > > Subject: RE: Security Warning Update
> > >
> > > On 1/30/01, Marc Funaro penned:
> > > >Where should one set the usernames and passwords
> > for databases -- in the
> > > >ODBC connection on CF Server? I thought that was
> > a security risk too...
> > > >{redacted}
> > > I'm curious about that also.
> > > -- {redacted}
> > > Unsubscribe:
> > http://www.houseoffusion.com/index.cfm?sidebar=lists
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
