Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Preventing easy vulernerabilities

Best Practices

Preventing easy vulernerabilities

by  webmigit  Posted    (Edited  )
Ok there are cases where these practices that I'm suggesting you avoid are exactly the thing you want to do.. But its generally seasoned programmers that need to do these things.. While many programmers (too many) don't know to avoid them.

For a lot of languages, many programmers have two tactics for keeping a site theme.. INCLUDES, and there are two ways to do it.. in most languages...

. Placing a header include at the beginning of each file and a footer include at the end of each file.. These includes may (and often this is the case) do more than just enforce a design.. They also can run common queries and operations, set common variables, and other such things. Viewing the info page might look something like: info.cfm

-- The code in info.cfm might look something like...

<cfinclude template="header.cfm">
... info content ...
<cfinclude template="footer.cfm">

. Making a "design container" page where the page looks like any page on your site, but the content area is blank.. the developer then uses a url parameter to find content.. Viewing the info page might look something like: container.cfm?showconts=info.cfm

There are three problems with this.. First info.inc if they go directly may look pretty bare bones.. not have the links you want. Second, search engines will try not to spider that. And third and this is the most important, you leave a hole open for people to crash your server through infinite including. This is not a good method but it is sometimes the case.. The code for container.cfm might look something like..

Code: 
<cfparam name="url.showconts" default="">
...header code, text, images, blah...
<cfinclude template="#url.showconts#">
...footer code, text, images, blah...

The vulnerability left open is that if the user changes container.cfm?showconts=info.cfm to container.cfm?showconts=container.cfm you have an infinite loop.. and that will hog processes on the server until something times out, crashes, or locks up.

BUT if that is the case, never fear there is an easy solution...

Code: 
<cfparam name="url.showconts" default="">
...header code, text, images, blah...
<cfif right(cgi.script_name,len(trim(url.showcontents))) is trim(url.showcontents)>
  <cfinclude template="#trim(url.showconts)#">
</cfif>
...footer code, text, images, blah...

works pretty solid, but you can also use..

Code: 
<cfparam name="url.showconts" default="">
...header code, text, images, blah...
<cfif cgi.script_name contains url.showcontents>
  <cfinclude template="#trim(url.showconts)#">
</cfif>
...footer code, text, images, blah...

You'll also notice that I stressed about a lot of languages only have two methods of keeping a consistent design..

Cold fusion has the natural pre- and post- request files called Application.cfm and OnRequestEnd.cfm respectively.. The process before and after the request for each cold fusion page in their own folder any folder under them.. The requested page searches its directory and its parent directory and grandparent directory and so on and so forth til it either finds application.cfm in a folder or reaches the root of a drive.. The only onrequestend.cfm processed is one found in the same folder as application.cfm so though application.cfm may be by itself, onrequestend relies on application to perform correctly.

Rather than following the first method you can place header code in application.cfm and footer code in onrequestend.cfm and quickly have an enforced design.
Register to add this FAQ to your archive
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top