Hackers can link directly to your ColdFusion include pages to bypass security or gleam information about the application from resulting errors.
For example, suppose you had 2 files -
login.cfm and
inc_success.cfm - the hacker could bypass the login.cfm and try to execute inc_success.cfm.
This is a bit of a strange example but I'm sure you get the idea.
There is a brilliant piece of logic in the Fusebox application.cfm file that prevents would-be hackers from directly accessing any CFML file other than "index.cfm". The code is blindingly simple and it goes a little something like this:
<cfif right(cgi.script_name, len("index.cfm")) neq "index.cfm"
and right(cgi.script_name, 3) neq "cfc">
<cflocation url="index.cfm" addtoken="no" />
</cfif>
Regardless of what framework, if any, that you are using, I recommend adding this code to you application.cfm.
ps. Bear in mind that Ajax or flash movie calls to CFML pages will only be able to get data from pages named "index.cfm". Also any popup window pages must now be accessed through or named "index.cfm".
Total Copy
I was just transferring an 800Mb file for the last 10 minutes (over a wireless connection) to my laptop, when at the last second, I got a windows alert saying the copy failed! How bloody annoying.
I got to thinking that this has happened me hundreds of times over the years and that surely by now you'd think Windows would have a resume copy option. It doesn't.
OK then, surely somebody has wrote a hack for windows to fix this? A quick google later and I found Total Copy. So far it seems to be doing the business. It can even resume after a power failure.
Now this really is a tool every self respecting geek should have installed.
Tip: To use, drag the files with the right mouse button.
Aside: Just wondering if macs have this problem and does Vista have this problem licked?
How to Beat Form Spam-bots
...without resorting to an annoying
CAPTCHA.
Those bloody form spam bots were driving our clients crazy with hundred of bs emails arriving every day. I came up with this simple but effective method to beat these form spam-bots.
Part 1 - Duping New Bots
Warning: This method assumes needs JavaScript enabled and is thus not blah-blah compliant.
- Change the action of your form to "about:blank". (Remember the real action for later.) Robots indexing this will now go to "about:blank" instead of your action handler page.
- If your form has a JavaScript validation function, add this line just before the form is OKed or submitted:
document.[form name].action = "[path to form handler page]"
Otherwise just stick in something like this in the form:
onsubmit="this.action='[Path to handler page here]'"
It's pretty simple, but since implementing this at the crew, we haven't encountered any robots smart enough to figure out that we are duping them with the about:blank. If the robots evolve, then so will we.
Part 2 - Blocking Old Bots (they're using Form Caching!)
Part 1 will prevent robots indexing your form action URL; but what about the robots who have already indexed your form and are storing the form details in their database? Here's how to block them:
- Add this line to your form:
<input type="hidden" name="formSecurity" value="<cfoutput>#Hash( DateFormat( now(), "dd/mm/yyyy" ) & "YOUR_SECRET_KEY" )#</cfoutput>"/>
- In your handler page insert the following at the start:
<!--- FORM SECURITY --->
<cfif NOT isdefined( "FORM.formSecurity" ) OR ( FORM.formSecurity IS NOT Hash( DateFormat( now(), "dd/mm/yyyy" ) & "YOUR_SECRET_KEY" ) )>
<cfabort>
</cfif>
Tada! Your done. Welcome to zero-spam.
Alternative method: Cut the internet cable running out of Nigeria.
The GoogleBot is retarded.
The Googlebot is retarded.
Why? Because it has absolutely no idea what a
base href tag is for.
I use a base href on all my sites to make internal linking much easier - no matter what the URL for the page on the site looks like, the link to another page will remain the same.
For those who don't know a base href looks like this <base href="">. When you use a base href on your site, all relative links are from that URL. So a link to "index.cfm" from the URL "page/somesubfolder/" will go to "index.cfm" instead of "page/somesubfolder/index.cfm".
But Mr. G, I-control-the-world, A. Bottie chooses to plough right on throught my base href scoffing at my pityful attempt to direct it to the content.
This is why I am continually getting error reports from sites where I have something like <cfparam name="URL.id" type="numeric">
Instead of getting a normal link like index.cfm/page/viewproduct/id/34, the bot is interpreting URLs like index.cfm/page/viewcat/index.cfm/viewproduct/34 and this is generating an error report which is automatically emailed to me every time the Googlebot goes into action on one of our client sites.
For FS, how hard is it for the Google engineers to intrerpret that there is a standard base href on the page. Or is it that the Googlebot is hedging it bets and checking to see if the base href was a mistake and there IS a valid page at it's conjured link URL.
ps. I'll probably get a permanent thumbs down in the Google ranking for this - Mr G.Bot tie knows when hes being insulted and he doesn't like it. You don't fuck with the bot - he controls the Internet, he can break you like that
.
Tags:
Comments [1]
Peter Coppinger aka Topper is a neurotic web monster who spends most of his chaotic life developing ColdFusion web applications when not drinking himself into a stupor and scheming his plans for world dominance.
