[thelist] CF Encrypt universal uniqueness

Raymond Camden jedimaster at macromedia.com
Sat Dec 15 09:06:31 CST 2001


> I was wondering (mind you just wondering, not actively 
> _doing_ anything
> about, since, apparently I am not encouraged or paid to do 
> such activity) if
> I encrypt a value with CF's Encrypt() function on one server, will the
> resultant hash be the same as the same input value passed 
> through Encrypt()
> on another server?

I don't believe it is unique, but let me ask around inside and find out.

> If so, I would imagine that the dreaded "arbitrary SQL code from input
> fields on a form" attack could be executed on, say, a login 
> script which
> reads the value of an encrypted username from a cookie and 
> puts that into a
> query to a database...
> 
> ug.

Um, how? You would need to know the key that was used on the system you
want to attack in order for your fake value to be decrypted correctly.
Therefore, this would not be a vulnerability.

=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email    : jedimaster at macromedia.com
Yahoo IM : morpheus

"My ally is the Force, and a powerful ally it is." - Yoda 





More information about the thelist mailing list