WebApp Sec mailing list archives
RE: Secure Coding? Bah!
From: "Taco Fleur" <tacofleur () nella net au>
Date: Fri, 23 Jan 2004 15:27:11 +1000
Hi, I know what your saying, and I was hesitant about posting any comments at first because I know what state *my personal* site is currently in, but trust me I am well aware of these issues (non the less I still like to hear about them) just to damn lazy at this stage to do something about it. I have written several documents about how to make a web app more secure, and they include path disclosure - instead a general error message should be shown not displaying anything to the user, the general error message is there but there is an error somewhere that's why it still displays the path. To busy at the moment with making money ;-)) I was actually following your tracks through the weblog ;-)) Saying ColdFusion sucks is pretty strong, I also have an answer for that one, any language sucks if the programmer doesn't have a clue what he is doing. When he does, the language he works with is just as strong. My 2 cents Taco Fleur Blog http://www.tacofleur.com/index/blog/ Methodology http://www.tacofleur.com/index/methodology/ 0421 851 786 Tell me and I will forget Show me and I will remember Teach me and I will learn
-----Original Message----- From: MELBOURNE,Jody [mailto:Jody.MELBOURNE () dewr gov au] Sent: Friday, 23 January 2004 3:12 PM To: tacofleur () nella net au Subject: RE: Secure Coding? Bah! Hi You have another issue on your site :) http://www.tacofleur.com/index/global/comment/?id='58&action=add --snip-- Error Executing Database Query. Invalid data '58 for CFSQLTYPE CF_SQL_INTEGER. The error occurred in D:\Inetpub\wwwroot\internet\production\tacofleur.com\index\glo bal\commen t\act_comment.cfm: line 45 Called from D:\Inetpub\wwwroot\internet\production\tacofleur.com\index\glo bal\commen t\dsp_default.cfm: line 3 Called from D:\Inetpub\wwwroot\internet\production\tacofleur.com\content.c fm: line 94 -- This is at least an XSS hole and path disclosure hole, but could be much worse... Coldfusion sucks. If you're serious about security I would stay well away from it. I was going to add a comment saying what a nice designed site you have :) oh well Have a great long weekend & happy aus day! Cheers .jm -----Original Message----- From: Taco Fleur [mailto:tacofleur () nella net au] Sent: Friday, January 23, 2004 3:25 PM To: webappsec () securityfocus com Subject: RE: Secure Coding? Bah! I see now this is one of those not so user-friendly lists that puts the author of the post in the "to" of the email. So I'll resend the posts I send earlier.. You are so right, and I am so thankful I finally found someone who feels the same way ;-) This week I have been trying to get this point across to several mailing lists I am signed up with, but they all shy away as soon as the word security is mentioned. I even had to battle with some of them thinking it is ok that a cracker gets access to Joe Nothing Bloggs admin panel, because its an insignificant website, but what they forget is that it's an open door to their domain, their own website is hosted on the same machine, etc. etc. I too had to clean up code, well, I didn't get to clean it because it not a priority of the company, its like in the article - first make more money, and not caring about the security of the sensitive data of clients, in some cases Credit Card info.... Just today I had someone point out a XSS hole on my own website, I am fairly familiar with the holes on my website and will fix them in due time ;-)) but he posted the hole on a public place and everybody attacked him for it, but I applaud him for it, because 1. he contacted me first 2. if he does not post it in a public place nothing gets done about it.. Am I rambling on yet? Ok..... Taco Fleur Blog http://www.tacofleur.com/index/blog/ Methodology http://www.tacofleur.com/index/methodology/ 0421 851 786 Tell me and I will forget Show me and I will remember Teach me and I will learn-----Original Message----- From: Adam Tuliper [mailto:amt () gecko-software com] Sent: Friday, 23 January 2004 1:52 PM To: mark () curphey com; webappsec () securityfocus com Subject: Re: Secure Coding? Bah! credentials or not.. he's right on almost every aspect. Almost every company I've done work at had pretty insecurecode that Ihad to fix. I know of almost no peer developers who are security conscious, as well as I know no developers personally thatwere taughtsecurity as part of their training. It never ceases to amaze me how many developers know next to nothing about writing secure code. You tell them about a sql injection attack and they look at youlike a dogwho just heard a funny noise and turns its head sideways. Ironically the only people I know who seme to have any idea about security are the same ones who could hack your systems. Seems like this needs to be more two-way knowledge but most developers just don't care. On Thu, 22 Jan 2004 21:42:24 -0500 (EST) Mark Curphey <mark () curphey com> wrote:Does anyone know of any information about this authorscredentials tomake these claims ?http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,00.html --------------------------------------------------------------------- Web mail provided by NuNet, Inc. The Premier National provider. http://www.nni.com/ Notice: The information contained in this e-mail message and any attached files may be confidential information, and may also be the subject of legal professional privilege. If you are not the intended recipient any use, disclosure or copying of this e-mail is unauthorised. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and delete all copies of this transmission together with any attachments.
Current thread:
- RE: Secure Coding? Bah!, (continued)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- RE: Secure Coding? Bah! Tim Greer (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Chris DeVoney (Jan 22)
- Re: Secure Coding? Bah! Chris Kirschke (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Mark Curphey (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- Re: Secure Coding? Bah! ONEILL David J (Jan 23)
- Re: Secure Coding? Bah! Mike Hoskins (Jan 24)
- RE: Secure Coding? Bah! Robert Paris (Jan 23)
- RE: Secure Coding? Bah! Tim Greer (Jan 24)
- RE: Secure Coding? Bah! Glenn_Everhart (Jan 23)
- RE: Secure Coding? Bah! Dinis Cruz (Jan 25)