It's been awhile since I have dipped my toes into Mach-II (unfortunately) so this is going to be pseudo-machii.
What about creating a preevent plugin that can compare the current event name to your defined event names in the config(s). If it isn't found, 404 time. On Thu, Mar 8, 2012 at 9:42 AM, Dave Shuck <[email protected]> wrote: > We are working on getting an app certified in a large corporate > environment and they are currently running a battery of IBM security scans > at it. I real stick point for the testers appears to be that they can run > something like this: > > (where 'go' is the event param) > > *oursite.com/index.cfm/go/someevent/admin/dobadstuff.cgi* > > When they do this, they are obviously creating an event arg named "admin" > with a value of "dobadstuff.cgi". They are up in arms that this returns a > status 200 and would encourage attackers to continue attacking. We have > been given a huge report that essentially consists of bad URLs (good events > with params attached to them) that produce 200 status codes. Trying to > manage a "bad word" list could prove tiresomely cumbersome, and I would > imagine that each new test could give us new words to add. > > Alternatively, we could go back through our HUGE application, and for each > event, define a list of acceptable arguments that could be passed. This is > a nightmarish possibility as well. In addition to the awkward nature of > it, the unnecessary processing, the maintenance issues, it would all have > to go back through QC testing again, which is truly months worth of effort > by the QC group. > > I have made the case that there is no actual vulnerability here, but ( > much like our education system! ) we are subject to passing the test > without actual regard to the merits of the content. > > I would love to hear some thoughts on this if anyone has any. > > > @dshuck > > -- > To post to this group, send email to > [email protected] > For more options and to unsubscribe, visit this group at > http://groups.google.com/group/mach-ii-for-coldfusion?hl=en > > SVN: http://svn.mach-ii.com/machii/ > Wiki / Documentation / Tickets: http://trac.mach-ii.com/machii/ > -- /* * Aaron Lynch * * http://aaronjlynch.com * http://twitter.com/alynch * */ -- To post to this group, send email to [email protected] For more options and to unsubscribe, visit this group at http://groups.google.com/group/mach-ii-for-coldfusion?hl=en SVN: http://svn.mach-ii.com/machii/ Wiki / Documentation / Tickets: http://trac.mach-ii.com/machii/
