Ray Camden Security Presentation

Posted At : August 1, 2007 1:54 PM | Posted By : Steve
Related Categories: CFUG

Ray Camden gave a presentation to the Tulsa CFUG on ColdFusion Security last night. We got off to a late start due to my own ineptitude in setting up Adobe Connect. After that, however, the presentation was great.

I was actually a bit surprised by how well everyone in the group was doing on security (if they are all to be believed). Not you, of course, dear reader. You, I knew, would do well. ;-)

The biggest thing that most of us didn't do as well as we could have is checking incoming parameters. We actually all checked them well enough to prevent errors, but not to prevent blank pages from being returned to the user (for example) or other usability issues.

Ray did a quick hack attempt on two sites volunteered by the group. The site volunteered by my friend, Drew Harris, did flawlessly (and is a nice looking site which uses a nifty .htaccess rewrite). The site I volunteered, however, displayed a small flaw.

Fortunately, the flaw wasn't a security problem. A page just displayed without any content if an invalid value was passed in the URL (since fixed, of course).

Ray also discussed security features of the recent ColdFusion 8 release (I cannot wait to start using CF8!). Included among them, AJAX Security Features.

For me, this presentation complemented the security presentation I attended at cf.Objective by Dean Saxe. That presentation discussed security procedures, where Ray Camden discussed ColdFusion syntax.

All in all, this was a really great presentation. I look forward to having Ray present to our group in the future (at which time I will be sure to have Connect set up correctly).

The recording of the meeting is available as well:
http://adobechats.adobe.acrobat.com/p75464975/

Ray also has the ColdFusion Security Checklist itself available online.

Some other security resources:

Thanks for taking the time to present to us Ray!

Comments (3) | Print | del.icio.us | Digg It! | Linking Blogs | 4679 Views
Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
[Add Comment]
I found this interesting, I went to Drew Harris's Quantum Delta site and quickly found that I could create a contentless page by changing the page parameter to really anything other than a null value:
http://www.quantumdelta.com/index.cfm?page=derek

I'm sure I have some work to do on this matter as well, especially after a session I attended at CFUNITED, so I am by no means comparing - just pointing out.
:-)

I like the QD site, clean, simple, and appealing (no pun intended with the monkey an all)
:-)
# Posted By Derek Versteegen | 8/1/07 7:06 PM
Derek,

Yeah, I guess I should have realized that by linking to Drew's web site in a post about security that I would have opened him up to attack. I should have thought about that.

It was actually another site that Ray tested during the presentation. I think the other site is the temporary location of the new version of his site. I like his current design a lot, but I think the new design is even better.
# Posted By Steve Bryant | 8/2/07 3:15 PM
Thanks for putting me out there Steve ;)
Any alternate page that does not exist "should" pull up the site map and a page not found title.
Thanks for the comments about the site Derek.
# Posted By Drew Harris | 10/16/07 7:27 PM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.