Re: Displaying flash on a site where script protect is enabled?
> Many thanks for the response. In our case, we have portcullis and some > other filters built into the system, so my hope is that we are secure. If one user is able to inject commands to run client-side executable code, and those commands get executed when another user views the content created by the first user, your site contains an XSS vulnerability. > Perhaps script protect is not adding a lot. Since we user a web editor in > a number of places in our system, my ideal scenario would probably be to > enable super user admins to use tags like to display flash on a > page but restrict it in other scenarios where there might be more risk > (e.g. on the front end of a web site). > How would you handle that kind of requirement? Would script protect be > part of it? If you're able to completely trust authenticated users not to do malicious things, you don't need to worry about XSS vulnerabilities, I guess. The problem with SCRIPTPROTECT is that it's fairly easy to bypass. I recommend you read this: http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353120 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Displaying flash on a site where script protect is enabled?
Hi Dave, Many thanks for the response. In our case, we have portcullis and some other filters built into the system, so my hope is that we are secure. Perhaps script protect is not adding a lot. Since we user a web editor in a number of places in our system, my ideal scenario would probably be to enable super user admins to use tags like to display flash on a page but restrict it in other scenarios where there might be more risk (e.g. on the front end of a web site). How would you handle that kind of requirement? Would script protect be part of it? Nick Return-Path: Received: from mail.houseoffusion.com [64.118.74.225] by mail67.safesecureweb.com with SMTP; Fri, 9 Nov 2012 12:57:32 -0500 To: cf-talk Message-ID: Subject: Re: Displaying flash on a site where script protect is enabled? References: <57df5e8$4a2f66a1$2589ee8$@com> Date: Fri, 9 Nov 2012 12:50:36 -0500 Precedence: bulk Reply-To: cf-talk@houseoffusion.com From: Dave Watts MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Rcpt-To: X-SmarterMail-Spam: SpamAssassin 0 [raw: 0], SPF_None, DK_None X-SmarterMail-TotalSpamWeight: 0 > I know this has been discussed before but I'm not finding a clear answer > online to the question of whether it is possible to use flash on a site > where the script protect / invalidtag feature has been turned on. Yes, you certainly can use Flash with SCRIPTPROTECT. The two are not really related. All SCRIPTPROTECT does is examine data from the browser to see if it contains client-side executable functionality. > We would like to keep this security feature turned on generally, but if > that means that it is not possible for clients to put flash files on their > pages in our CMS, that is a pretty steep trade off. Are there ways around > this? Not really. If you want people to be able to put client-side executable content in HTML pages, that defeats the purpose of using SCRIPTPROTECT. You could write a CMS widget to accept parameters from the client and have that build a snippet of HTML that uses those parameters with Flash Player, though. > Also, our experience is that some older pages that have flash working - > presumably from before the script protect feature was turned on - are still > working fine (despite having script protect on). So, that is a bit of a > surprise. That should not be a surprise. Again, all SCRIPTPROTECT does is limit the ability of users to upload data that could later execute in another user's browser. You might want to read a bit about XSS vulnerabilities to see what it's supposed to protect you against. All that said, SCRIPTPROTECT only provides limited protection against those vulnerabilities. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353113 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Displaying flash on a site where script protect is enabled?
> I know this has been discussed before but I'm not finding a clear answer > online to the question of whether it is possible to use flash on a site > where the script protect / invalidtag feature has been turned on. Yes, you certainly can use Flash with SCRIPTPROTECT. The two are not really related. All SCRIPTPROTECT does is examine data from the browser to see if it contains client-side executable functionality. > We would like to keep this security feature turned on generally, but if > that means that it is not possible for clients to put flash files on their > pages in our CMS, that is a pretty steep trade off. Are there ways around > this? Not really. If you want people to be able to put client-side executable content in HTML pages, that defeats the purpose of using SCRIPTPROTECT. You could write a CMS widget to accept parameters from the client and have that build a snippet of HTML that uses those parameters with Flash Player, though. > Also, our experience is that some older pages that have flash working - > presumably from before the script protect feature was turned on - are still > working fine (despite having script protect on). So, that is a bit of a > surprise. That should not be a surprise. Again, all SCRIPTPROTECT does is limit the ability of users to upload data that could later execute in another user's browser. You might want to read a bit about XSS vulnerabilities to see what it's supposed to protect you against. All that said, SCRIPTPROTECT only provides limited protection against those vulnerabilities. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353108 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Displaying flash on a site where script protect is enabled?
I know this has been discussed before but I'm not finding a clear answer online to the question of whether it is possible to use flash on a site where the script protect / invalidtag feature has been turned on. We would like to keep this security feature turned on generally, but if that means that it is not possible for clients to put flash files on their pages in our CMS, that is a pretty steep trade off. Are there ways around this? Also, our experience is that some older pages that have flash working - presumably from before the script protect feature was turned on - are still working fine (despite having script protect on). So, that is a bit of a surprise. Any brilliant ideas? Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353106 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm