Lost Password?

Go Back   CodeCall Programming Forum > Web Development Forum > JavaScript and CSS

Unregistered, Check out the Coder Battles in the Announcement and Game forums.

JavaScript and CSS Extensible Markup Language, Java Script, and CSS questions here.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #21 (permalink)  
Old 01-15-2008, 12:46 PM
twalters84 twalters84 is offline
Learning Programmer
 
Join Date: Oct 2007
Posts: 56
Credits: 0
Rep Power: 4
twalters84 is on a distinguished road
Default File Spoofing?

Hello again,

You got to be kidding me right? I am going to assume your not.

By spoofing, you mean taking an EXE file and giving it a JPG extension right?

So what happens when you do something like the following when a file is spoofed?

<img src="spoofedFile.JPG">

My first thought it would show a box with an X through it. That is at least what happens when a JPG can not be found.

My biggest question is how do you tell a file is spoofed upon uploading it? How is that prevented?

The more I learn about securing a website, the more I hate hackers. The worst thing is I bet the majority of programmers do not even take measures to secure a website like this.

Thanks again for any information you can provide me with. If there was a security class in my area, I would definately take that. For now, this is the best I got so I really appreciate it.

Sincerely,
Travis Walters
admin@codebuyers.com
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
providing
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
for
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

Last edited by twalters84; 01-15-2008 at 12:48 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #22 (permalink)  
Old 01-15-2008, 12:56 PM
John's Avatar   
John John is offline
Co-Administrator
 
Join Date: Jul 2006
Age: 20
Posts: 3,230
Last Blog:
Passwords
Credits: 865
Rep Power: 20
John has much to be proud ofJohn has much to be proud ofJohn has much to be proud ofJohn has much to be proud ofJohn has much to be proud ofJohn has much to be proud ofJohn has much to be proud ofJohn has much to be proud ofJohn has much to be proud of
Send a message via AIM to John
Default

I am not kidding, and I have no clue how to check against this. I would suppose maybe checking the content headers. Generally though, from my experience, images are usually spoofed as shell scripts. I have never spoofed a file, so I have no clue how it works.
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

Chat with other CodeCall members on IRC; connect to irc.codecall.net and join #codecall
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #23 (permalink)  
Old 01-15-2008, 04:03 PM
TcM's Avatar   
TcM TcM is offline
Moderator
 
Join Date: Aug 2006
Location: In a technologic world :p
Posts: 8,306
Credits: 0
Rep Power: 74
TcM has much to be proud ofTcM has much to be proud ofTcM has much to be proud ofTcM has much to be proud ofTcM has much to be proud ofTcM has much to be proud ofTcM has much to be proud ofTcM has much to be proud ofTcM has much to be proud of
Default

So you are saying that we should not even accept JPG/GIF files to be uploaded?
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.



To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #24 (permalink)  
Old 01-15-2008, 04:41 PM
twalters84 twalters84 is offline
Learning Programmer
 
Join Date: Oct 2007
Posts: 56
Credits: 0
Rep Power: 4
twalters84 is on a distinguished road
Default Another Good Article

Hey there,

I found another good article here:

Application Security with Coldfusion

The part that I found very interesting and is related to our latest discussion is the following:

Quote:
A common task that can be very dangerous. People can upload a file and then execute that file on your server. In <cffile>, many peole use the accept="" attribute to limit the kinds of files you can upload, but this isn't the greatest approach. A hacker can spoof the mime type. So, could upload a ColdFusion page, spoof the mime type, and execute the ColdFusion page. This spoofing can easily be done with ColdFusion.

Best practices: Upload to a directory outside the web root or to a static content server. Always check the file extension (cffile.serverFileExt), although this is obviously not reliable, but it would stop someone from executing a ColdFusion page when it has an image mime type (as an example). Use the accept="" attribute, just don't rely on it. Also check the filename to avoid XSS. Otherwise, a person could have JavaScript in the filename that could be executed. The combination of these things would make it very challenging to exploit uploading.
Uploading files to a different server for storage may be a good idea. Does anybody know of any good hosts that are strickly for storage? If I do this, I would definately need something reliable.

However, I wonder if I created a seperate directory just for uploads if that would solve the problem. I am wondering maybe if there is a way to make everything non-executable in that folder some how?

Sincerely,
Travis Walters
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
providing
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
for
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #25 (permalink)  
Old 01-15-2008, 07:35 PM
twalters84 twalters84 is offline
Learning Programmer
 
Join Date: Oct 2007
Posts: 56
Credits: 0
Rep Power: 4
twalters84 is on a distinguished road
Default Some Documention

Hello again,

For other coldfusion developers, I found a few things that are quite useful.

This feature is undocumented in coldfusion 7 but it works:

Script Protection Attribute in Cfapplication

It does not protect against all XSS attacks, but its better than nothing.

The Adobe Coldfusion Security Center also has some nice information:

Adobe Coldfusion Security Center

Hope this helps other developers.

Sincerely,
Travis Walters
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
providing
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
for
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote

Sponsored Links
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
Memory leak prevention methodogies c___newbie C and C++ 2 11-18-2007 10:29 AM
Dynamic Email insertion in HTML Gibster HTML Programming 5 07-17-2007 04:22 PM


All times are GMT -5. The time now is 11:03 PM.

Contest Stats

Xav ........ 1276.19
MeTh0Dz|Reb0rn ........ 1048.58
marwex89 ........ 869.98
morefood2001 ........ 868.04
John ........ 865.15
WingedPanther ........ 761.06
Brandon W ........ 684.87
chili5 ........ 294.12
Steve.L ........ 216.18
dargueta ........ 192.86

Contest Rules

CodeCall Goal

Goal: 100,000 Posts
Complete: 81%

Ads