[thelist] Website Database Security

Raymond Camden jedimaster at macromedia.com
Thu May 3 13:24:39 CDT 2001


Well, here is a mile high overview...

1) Do you use URL parameters that are passed to other pages? if so, what
happens if someone removes/changes the parameter?
2) Do you use business rules to create an index, for example, press releases
that are marked as released? If so, can I change the URL parameter to point
to a valid PR but one that isn't released. (Idea is, if you do rule A on the
index page, you must apply it on the detail view page as well.)
3) Do you store the username/id in a cookie? What if I edit my cookie?

Basically it comes down to - dont trust input from the web. Always double
check.

CF specific stuff detailed a particular server setting you should turn off.

I also mention +.htr and ::$DATA, or as I call them, the "Large Gaping
Security Holes from Hell".

In general, my presentation was on _code_ things you could do. Port crap and
stuff like that is more server level. Certainly that stuff is important,
probably _more_ important then code stuff, but people should cover
everything, know what I mean?

Anyway, I'll be sending the presentation to those who asked... I'm just
running a bit behind.

=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email   : jedimaster at macromedia.com
ICQ UIN : 3679482

"My ally is the Force, and a powerful ally it is." - Yoda

> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org]On Behalf Of Chris Johnston
> Sent: Thursday, May 03, 2001 1:54 PM
> To: thelist at lists.evolt.org
> Subject: RE: [thelist] Website Database Security
>
>
> I would love a copy. One question though, if it didn't cover closing ports
> and the like and it didn't cover web application mistakes, what did it
> cover?
>





More information about the thelist mailing list