Date: Sun, 06 Aug 2000 18:55:41 -0500
To: "Brian Kotek" [EMAIL PROTECTED]
From: Daryl Banttari [EMAIL PROTECTED]
Subject: RE: [KCFusion] Link to article about CF tips
Brian,
It's not "users" I'm worried about. A couple of weeks ago, I was
reviewing code for a site where they passed the file name of a file to
mail to a user in a hidden input field... They said that since the user
doesn't see that, they're safe, right?
I saved the HTML output to disk, made the action URL non-relative and
specified a file /no user/ should be downloading, pulled up my local copy,
and clicked submit. They were quite surprised at the results.
A plague of the Web industry -- and ColdFusion code in particular -- is
the lack of attention paid to security issues. If I had a nickel for
every time I see someone passing unchecked vars into forms, I wouldn't
have to work :-)
I would have been much happier with your examples if they included the
code to check the variables and ensure no form hacking has
occurred. Honestly, I consider posting examples this (powerful |
dangerous) without including the code to make it safe [/in/ the example]
rather irresponsible. That way, when programmers not as clever as you
copy and paste the code into their apps, it happens safely.
'If you are that concerned about someone posting malformed FORM values you
could always check the variable's contents prior to executing the query.'
...All ColdFusion programmers should be 'that concerned'!
Please don't consider this a flame-- if we were meeting in person, I would
be using the same tone of voice. I'm /very/ concerned about the security
problems left in ColdFusion code on a regular basis. (It's giving
ColdFusion a bad name in the security industry-- I've actually heard
objections to using ColdFusion because of the security weaknesses 'in
ColdFusion' when it's bad site programming to blame.)
Sincerely,
Daryl Banttari
At 06:20 PM 8/6/2000 -0400, Brian Kotek wrote:
Can you be more specific...what do you disagree with? If you are referring
to using FORM variables in your query, please note that the form value is
not a text input but a checkbox, where the user has no power to change the
form value. If you are that concerned about someone posting malformed FORM
values you could always check the variable's contents prior to executing the
query.
You might also notice that I cover cross-site scripting and URL/FORM
variable hacking on its own page.
Other than that I can't see what you are concerned about.
Thanks,
Brian
-Original Message-
From: Daryl Banttari [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 05, 2000 2:44 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [KCFusion] Link to article about CF tips
At 10:40 AM 8/4/2000 -0500, Keith Purtell wrote:
In case you haven't already seen this article ...
http://www.builder.com/Programming/ColdFusionTips/print.html
Wow... unless you've /seriously/ locked down your database permissions, I
wouldn't recommend many of those techniques at all!
See the Allaire Security Bulletin ASB99-04, "Multiple SQL Statements in
Dynamic Queries", at
http://www.allaire.com/handlers/index.cfm?ID=8728Method=Full
Remember to second-guess any article you read. In general, just because it
was a neat idea, doesn't necessarily mean its a good idea.
Also remember that all generalizations are false ;-)
Daryl Banttari
Sr. Consultant
Allaire Consulting
__
The KCFusion.org list and website is hosted by Humankind Systems, Inc.
List Archives http://www.mail-archive.com/cf-list@kcfusion.org
Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED]
To Subscribe mailto:[EMAIL PROTECTED]
To Unsubscribe mailto:[EMAIL PROTECTED]
