[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42882.192.168.0.1.1123099944.squirrel@www.aftermagic.com>
Date: Wed, 3 Aug 2005 15:12:24 -0500 (CDT)
From: "Ian Mitchell" <trash@...ermagic.com>
To: bugtraq@...urityfocus.com
Subject: Re: Coldfusion Fusebox V4.1.0 Vulnerability
Having been a modified fusebox developer for a while I can say that there
are likely MANY more problems besides that, such as SQL injection and XSS
issues that still need to be resolved in many Fusebox apps. We addressed
them by creating a standard parse function in the index.cfm file that
prevented any sub fuses from being affected. However since I was under
contract I can't provide said code, sorry. But I highly advise a security
module that does basic sanity checks, authentication validation, tests for
session hijacks/fixations, and other funny business that gets thrown at
the fusebox. This security module or fuse needs to be called first and
formost before ANY other fuses get called and should be accessed directly
from the index.cfm file before anything else happens. Coldfusion itself
doesn't do much for sanity checks, it's up to the developer to take those
into consideration.
What I found interesting was that the first 10 entries returned from the
google search were Senator's... interesting.
Powered by blists - more mailing lists