lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42882.192.168.0.1.1123099944.squirrel@www.aftermagic.com>
Date: Wed, 3 Aug 2005 15:12:24 -0500 (CDT)
From: "Ian Mitchell" <trash@...ermagic.com>
To: bugtraq@...urityfocus.com
Subject: Re: Coldfusion Fusebox V4.1.0 Vulnerability



Having been a modified fusebox developer for a while I can say that there
are likely MANY more problems besides that, such as SQL injection and XSS
issues that still need to be resolved in many Fusebox apps. We addressed
them by creating a standard parse function in the index.cfm file that
prevented any sub fuses from being affected. However since I was under
contract I can't provide said code, sorry. But I highly advise a security
module that does basic sanity checks, authentication validation, tests for
session hijacks/fixations, and other funny business that gets thrown at
the fusebox. This security module or fuse needs to be called first and
formost before ANY other fuses get called and should be accessed directly
from the index.cfm file before anything else happens. Coldfusion itself
doesn't do much for sanity checks, it's up to the developer to take those
into consideration.

What I found interesting was that the first 10 entries returned from the
google search were Senator's... interesting.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ