[KCFusion] Weird problem
I've got a very peculiar problem. I have Windows 2000 with ColdFusion MX. So far I've only loaded a couple of clients on this new box. My problem is the mappings are getting totally jacked up. Here's the CF file: cfinclude template=./includes/header.inc.cfm cfset build_menu = no cfinclude template=/CMSBuilder/pagebuild.cfm cfinclude template=./includes/footer.inc.cfm This file should (in theory) get the c:\web\mywebsite-com\includes\ headers and footers. Unfortunately, as soon as I start IIS, whichever web site gets there first (pulled up) then becomes the one that will display that header/footer combo. WHY? Previously on my other box under CF4.5 it worked perfectly. It's like whatever site gets picked up first gets that header/footer compiled and then left in memory ? ? ? ? ? Does that make sense ? ? ?
[KCFusion] mail archive
The mail archive does not appear to be working. A.
Re: [KCFusion] Weird problem
Actually -- just asked this question on the DevMX list and got a fast response: To: [EMAIL PROTECTED] From: Todd [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_61532312==.ALT Subject: Re: [mxdev] Coldfusion MX question Yup, you have a multi-homing issue. Do you have CFMX 6.1 yet? If not, you'll have to dig into an XML file (http://blog.web-rat.com/archives/20.cfm) - If you do have CFMX 6.1, goto Caching in the CFAdmin and make sure that Cache Web Server Path is unchecked. ~Todd __ The KCFusion.org list and website is hosted by Humankind Systems, Inc. List Archives http://www.mail-archive.com/[EMAIL PROTECTED] Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED] To Subscribe mailto:[EMAIL PROTECTED] To Unsubscribe mailto:[EMAIL PROTECTED]
Re: [KCFusion] security question
Ok wait. I have not thought this all the way though I think. The kind of attack was thinking of was where a hostile user taped the stream mid flow. Somehow between the end user and the server. Since the pages are encrypted with https then they (the hostile) should not be able to do anything yes? An if the bandit has the users authentication information then there really is not much you can do no? You know for a meeting idea I'd really like to hear what the big boys are doing security wise. All the books I have the security is pretty lame and basic. A. - Original Message - From: Luke Templin To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:05 AM Subject: RE: [KCFusion] security question You may want to do everything through a stored procedure(s). As part of that stored procedure you could create multiple sql queries one of which can be an audit trail. Another way is to present the material to be deleted as a table with a checkbox for each row.Then have the user select each individual record. Pass the information to a cftag that does the delete. this reduces the opportunity for a user to randomly type anything in and allows you to implement a validation routine. Another item to explore is to use the https if security is a concern. Can't say I have experience with it but given your description that might be a method to investigate. -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:54 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
[KCFusion] security question
Is is possible to alter the information that is sent in the headers of a POST request? A.
Re: [KCFusion] security question
Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Are you asking how this can be done, or just whether this can be done?Are you trying to alter your data, or just assure a customer that their data is safe? -Original Message-From: Bruce Dunwiddie [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 11:34 AMTo: [EMAIL PROTECTED]Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Well the checking in the database to make sure that the user is allowed to delete that record is a good step to leave in. As for the rest, I'd probably recommend passing an encrypted value of the record to delete along with the record id itself, so you can verify that they haven't just changed the id, and it won't matter if they can get access to the hidden encrypted value because they won't be able to submit the proper encrypted version to pass the validation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kory Bakken Sent: Tuesday, August 12, 2003 9:54 AM To: [EMAIL PROTECTED] Subject: RE: [KCFusion] security question Adaryl: Yes, if a person has IEBoster (http:// www.paessler.com/IEB http://www.paessler.com/IEB ) running on their machine, hidden form fields are just a right-click away. You'd be better off putting a ACTIVE field in any table that you are going to allow users to delete from. That could inactivate the record, then you could manually review the deletes before committing any of them. That's my 2 cents. Kory -Original Message- From: Adaryl Wakefield [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM To: [EMAIL PROTECTED] Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted in a hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ]On Behalf Of Adaryl Wakefield Sent: Monday, August 11, 2003 1:44 PM To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A. attachment: winmail.dat
RE: [KCFusion] security question
I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
You may want to do everything through a stored procedure(s). As part of that stored procedure you could create multiple sql queries one of which can be an audit trail. Another way is to present the material to be deleted as a table with a checkbox for each row.Then have the user select each individual record. Pass the information to a cftag that does the delete. this reduces the opportunity for a user to randomly type anything in and allows you to implement a validation routine. Another item to explore is to use the https if security is a concern. Can't say I have experience with it but given your description that might be a method to investigate. -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:54 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Adaryl: Yes,if a person has IEBoster (http://www.paessler.com/IEB)running on their machine, hidden form fields are just a right-click away. You'd be better off putting a "ACTIVE" field in any table that you are going to allow users to delete from. That could inactivate the record, then you could manually review the deletes before committing any of them. That's my 2 cents. Kory -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:48 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
Re: [KCFusion] security question
Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Yes, https will basically eliminate the possibility of someone in the middle doing a malicious attack, but the best thing is to secure all the layers seperately, so if someone does get past what you might think would be the https secure layer, there's still other measures in place to catch them. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl WakefieldSent: Tuesday, August 12, 2003 10:24 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Ok wait. I have not thought this all the way though I think. The kind of attack was thinking of was where a hostile user taped the stream mid flow. Somehow between the end user and the server. Since the pages are encrypted with https then they (the hostile) should not be able to do anything yes? An if the bandit has the users authentication information then there really is not much you can do no? You know for a meeting idea I'd really like to hear what the big boys are doing security wise. All the books I have the security is pretty lame and basic. A. - Original Message - From: Luke Templin To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:05 AM Subject: RE: [KCFusion] security question You may want to do everything through a stored procedure(s). As part of that stored procedure you could create multiple sql queries one of which can be an audit trail. Another way is to present the material to be deleted as a table with a checkbox for each row.Then have the user select each individual record. Pass the information to a cftag that does the delete. this reduces the opportunity for a user to randomly type anything in and allows you to implement a validation routine. Another item to explore is to use the https if security is a concern. Can't say I have experience with it but given your description that might be a method to investigate. -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:54 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
[KCFusion] ÊýÂ뾫ƷÓŻݴÙÏú£¡
Title: Http://www.waheng.com ECP-31U 30 1/3VGA CMOS 30 fps 19.7 ~ (0.5m ~ ) F2.8 43mm USB Windows 95/98/Me/2000/XP 640x480 82*48*48mm 138.00 TDC-3230 30 1/3VGA CMOS 30 fps 19.7 ~ (0.5m ~ ) F2.8 43mm USB 64MBit SDram10 7600 208 65*54*16mm 208.00 TDC-13030 130 1/3VGA CMOS 30 fps 19.7 ~ (0.5m ~ ) F2.8 43mm USB Windows 95/98/Me/2000/XP USB64MBit SDram 10 2AA600 / 208 112*62*40mm 388.00 CP0981.4'TFT130 130 1/3VGA CMOS 30 fps 1.4'TFT2 USBCF 104AA 500 / CF 110*70*50mm 580.00 E Tel:0755-82312318,82191872 FAX:0755-82312277
Re: [KCFusion] security question
Thats what I thought. Manually deleteing them does not exactly bring a smile to my face but it is feasable for us. But what about larger companies with like a gazillion records. Unless your telling me that they just have tons of minimum wage people that all they do all day is delete records. A. - Original Message - From: Kory Bakken To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:54 AM Subject: RE: [KCFusion] security question Adaryl: Yes,if a person has IEBoster (http://www.paessler.com/IEB)running on their machine, hidden form fields are just a right-click away. You'd be better off putting a "ACTIVE" field in any table that you are going to allow users to delete from. That could inactivate the record, then you could manually review the deletes before committing any of them. That's my 2 cents. Kory -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:48 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.