Thanks for the good advice Doug and Buddy!
Flex seemed too heavy for what I was doing, so I decided to try out the
CF8/Ajax stuff. There's still a learning curve as I had to know something
about the underlying JavaScript framework.
Fortunately, I found a good article on devnet that really helped
I have one remaining problem to solve in my adventure with CF/Ajax. The CFCs
have to have access=remote.
But, this means anyone can access the methods. What I built is a
master/detail, CRUD thing for administering users. So, I obviously don't
want some unauthorized person deleting my users or
All access must be authorized. Only expose those methods required by
the external system.
Your CFC methods are performing authorization already, aren't
they? ;-) If not, now is a great time to add appropriate
authorization controls to your system before exposing such APIs.
-dhs
Dean
This is actually one of the biggest security problems on the internet
right now, unprotected web services, remoting services, AJAX services.
You can actually solve this a number of different ways. You might
check out the Securing Web Services section in the docs first:
That is a really good question and I'm curious about the input from the group.
Maybe use permissions on a webserver/file level? All legit requests would be
coming from localhost/127.0.0.1/server's IP address, right?
/m
But, what's the best way to give access to my valid
: CFM pages with Ajax
Wouldn't AJAX requests be coming from the user's web browser IP?
On Mon, Jul 21, 2008 at 10:52 AM, Mischa Uppelschoten ext 10
[EMAIL PROTECTED] wrote:
That is a really good question and I'm curious about the input from the
group. Maybe use permissions on a webserver/file level? All legit
On Mon, Jul 21, 2008 at 10:52 AM, Mischa Uppelschoten ext 10
[EMAIL PROTECTED] wrote:
That is a really good question and I'm curious about the input from the group.
Maybe use permissions on a webserver/file level? All legit requests would
be coming from localhost/127.0.0.1/server's IP address,
Duh! I meant to write
local subnet.
: Wouldnt AJAX requests
be coming from the users web browser IP?:
On Mon, Jul 21, 2008 at 10:52 AM, Mischa
Uppelschoten ext 10: [EMAIL PROTECTED]
wrote:: That is a really good question
and Im curious about the input from the group.:
Maybe use
http://www.cfwhisperer.com/post.cfm/urgent-sql-injection-attack-vulnerability
DK
--
Douglas Knudsen
http://www.cubicleman.com
this is my signature, like it?
-
To unsubscribe from this list, manage your profile @
Funny that this came about 6 weeks ago and prompted MS and HP
(SPIDynamics) to release some tools... and now its coming out again in
the CF blogosphere.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
What difference does it make to the dead, the orphans, and the
homeless, whether the
Cfqueryparam or cfstoredproc will naturally prevent this, but you should
also be logging these attack attempts to monitor the activity. Portcullis
(portcullis.riaforge.org), a cfc filter, can do this. An even better option
is to implement a web application firewall.
John Mason
[EMAIL PROTECTED]
cfstoredproc will *not* prevent SQL injection. Stored procs are not
magically immune, they too may be subject to SQL injection in the SP
code itself. So the problem has moved from CF to the DB itself. Make
sure you write your stored procs with protection from SQLi, as well.
-dhs
Dean
True...there again it depends on how you write the storedproc. I stand
corrected :)
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting
Now offering VPS Plans running with VMware technology
Now offering ColdFusion 8 Enterprise hosting
FREE Subversion
Its a pretty fine point, to be sure, but important to note. I have
seen many people who claim to be immune to SQLi due to the use of
stored procs wind up regretting their bravado when tested.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
Great spirits have often encountered violent
Thanks all for your suggestions!
Cameron, you mentioned sessions will be available in both your CFM pages and
CFCs as long as they share a common Application.cfc file. So, you'd put the
CFC in the same directory as the CFM?
And, if I did that, the request for the CFC would still cause an
Clarke,
Sounds like you have a partially complete authorization model. What
you might be missing is authorization to individual data elements. So
when the user attempts to edit a user, does the system verify that he
not only has permission to edit a user, but permission to edit *this
16 matches
Mail list logo