WebApp Sec: RE: Secure Coding? Bah!

["Taco Fleur" <tacofleur () nella net au>]

Hi,

I know what your saying, and I was hesitant about posting any comments at
first because I know what state *my personal* site is currently in, but
trust me I am well aware of these issues (non the less I still like to hear
about them) just to damn lazy at this stage to do something about it. I have
written several documents about how to make a web app more secure, and they
include path disclosure - instead a general error message should be shown
not displaying anything to the user, the general error message is there but
there is an error somewhere that's why it still displays the path. To busy
at the moment with making money ;-))

I was actually following your tracks through the weblog ;-))

Saying ColdFusion sucks is pretty strong, I also have an answer for that
one, any language sucks if the programmer doesn't have a clue what he is
doing. When he does, the language he works with is just as strong.

My 2 cents

Taco Fleur
Blog http://www.tacofleur.com/index/blog/
Methodology http://www.tacofleur.com/index/methodology/
0421 851 786
Tell me and I will forget
Show me and I will remember
Teach me and I will learn 


> -----Original Message-----
> From: MELBOURNE,Jody [mailto:Jody.MELBOURNE () dewr gov au] 
> Sent: Friday, 23 January 2004 3:12 PM
> To: tacofleur () nella net au
> Subject: RE: Secure Coding? Bah!
>
>
> Hi
>
> You have another issue on your site :)
>
> http://www.tacofleur.com/index/global/comment/?id='58&action=add
>
> --snip--
> Error Executing Database Query.  
> Invalid data '58 for CFSQLTYPE CF_SQL_INTEGER.  
>   
> The error occurred in 
> D:\Inetpub\wwwroot\internet\production\tacofleur.com\index\glo
> bal\commen
> t\act_comment.cfm: line 45
> Called from 
> D:\Inetpub\wwwroot\internet\production\tacofleur.com\index\glo
> bal\commen
> t\dsp_default.cfm: line 3
> Called from
> D:\Inetpub\wwwroot\internet\production\tacofleur.com\content.c
> fm: line 94
> --
>
> This is at least an XSS hole and path disclosure hole, but 
> could be much worse... Coldfusion sucks. If you're serious 
> about security I would stay well away from it.
>
> I was going to add a comment saying what a nice designed site you have
> :) oh well
>
> Have a great long weekend & happy aus day!
>
> Cheers
> .jm
>
>
>
>
> -----Original Message-----
> From: Taco Fleur [mailto:tacofleur () nella net au] 
> Sent: Friday, January 23, 2004 3:25 PM
> To: webappsec () securityfocus com
> Subject: RE: Secure Coding? Bah!
>
>
> I see now this is one of those not so user-friendly lists 
> that puts the author of the post in the "to" of the email. So 
> I'll resend the posts I send earlier..
>
> You are so right, and I am so thankful I finally found 
> someone who feels the same way ;-)
>
> This week I have been trying to get this point across to 
> several mailing lists I am signed up with, but they all shy 
> away as soon as the word security is mentioned.
>
> I even had to battle with some of them thinking it is ok that 
> a cracker gets access to Joe Nothing Bloggs admin panel, 
> because its an insignificant website, but what they forget is 
> that it's an open door to their domain, their own website is 
> hosted on the same machine, etc. etc.
>
> I too had to clean up code, well, I didn't get to clean it 
> because it not a priority of the company, its like in the 
> article - first make more money, and not caring about the 
> security of the sensitive data of clients, in some cases 
> Credit Card info....
>
> Just today I had someone point out a XSS hole on my own 
> website, I am fairly familiar with the holes on my website 
> and will fix them in due time ;-)) but he posted the hole on 
> a public place and everybody attacked him for it, but I 
> applaud him for it, because 1. he contacted me first 2. if he 
> does not post it in a public place nothing gets done about 
> it.. Am I rambling on yet? Ok.....
>
> Taco Fleur
> Blog http://www.tacofleur.com/index/blog/
> Methodology http://www.tacofleur.com/index/methodology/
> 0421 851 786
> Tell me and I will forget
> Show me and I will remember
> Teach me and I will learn 
>
>
> > -----Original Message-----
> > From: Adam Tuliper [mailto:amt () gecko-software com]
> > Sent: Friday, 23 January 2004 1:52 PM
> > To: mark () curphey com; webappsec () securityfocus com
> > Subject: Re: Secure Coding? Bah!
> >
> >
> > credentials or not.. he's right on almost every aspect.
> >
> > Almost every company I've done work at had pretty insecure 
> code that I 
> > had to fix. I know of almost no peer developers who are security 
> > conscious, as well as I know no developers personally that 
> were taught
>
> > security as part of their training.  It never ceases to amaze me how
> > many developers know next to nothing about writing secure code. You 
> > tell them about a sql injection attack and they look at you 
> like a dog
> > who just heard a funny noise and turns its head sideways. 
> > Ironically the only people I know who seme to have any idea 
> > about security are the same ones who could hack your systems. 
> > Seems like this needs to be more two-way knowledge but most 
> > developers just don't care. On Thu, 22 Jan 2004 21:42:24 
> > -0500 (EST)  Mark Curphey <mark () curphey com> wrote:
> > > Does anyone know of any information about this authors
> > credentials to
> > > make these claims ?
> > http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_
> art550,00.html
>
> ---------------------------------------------------------------------
> Web mail provided by NuNet, Inc. The Premier National 
> provider. http://www.nni.com/
>
>
> Notice:
> The information contained in this e-mail message and any 
> attached files may be confidential information, and may also 
> be the subject of legal professional privilege.  If you are 
> not the intended recipient any use, disclosure or copying of 
> this e-mail is unauthorised.  If you have received this 
> e-mail in error, please notify the sender immediately by 
> reply e-mail and delete all copies of this transmission 
> together with any attachments.