Have mitigated a few of the issues but really struggling with some basic XSS prevention in the system.
Why don't have encodeForHTML() as we have encodeForHTMLAttribute() in openDB? what other ways we can use in place of encodeForHTML() ? Tried with java OWASP ESAPI Library (example here http://boncode.blogspot.in/2011/12/cf-setting-up-owasp-esapi-library-for.html) but it gives error - .encoder.encodeForHTML(com.naryx.tagfusion.cfm.parser.CFFunctionExpression@734c8325) doesn't exist. Of if you know how to get the scriptprotect option to work that would be a real help. Kind regards, Lee On Saturday, November 12, 2016 at 3:54:22 AM UTC, Al Holden wrote: > > Hi Lee, > > As I recall, the OpenBD Admin project was a separate labor of love headed > up by Matt Woodward, who I met at a CFOPEN conference in Texas many years > ago. > > Much like the ACF Admin tools, the project's purpose was simply to help > craft the /WEB-INF/bluedragon/bluedragon.xml file and some of the JDBC > connection strings by way of a GUI. But once that work has been done, the > folders /adminapi and /administrator could probably be entirely removed > from the project in production without consequence. > > The one security issue I'm aware of is that the /adminapi folder could be > *browsed* or *accessed* from the public *without* being logged in ( > foundeo.com/hack-my-cf/). While I have been able to reproduce the former > in a test environment, I haven't been able to do either on our production > system. I get 403 Forbidden, although I'm not a professional hack. > > Al Holden > > > On 11/11/2016 12:15 PM, Lee Fortnam wrote: > > Hi All, > > Just wondering if anyone has any pearls of wisdom to secure OpenBD 3.1 in > a production environment? > > Apparently there is a well known CFM Admin hack that is a vulnerability > and I am keen to lock it down as much as possible. > > If anyone has a standard setup that could be shared that would be amazing. > > Kind Regards, > > Lee > -- > -- > online documentation: http://openbd.org/manual/ > http://groups.google.com/group/openbd?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "Open BlueDragon" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- -- online documentation: http://openbd.org/manual/ http://groups.google.com/group/openbd?hl=en --- You received this message because you are subscribed to the Google Groups "Open BlueDragon" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
