FuseGuard
Ben Riordan
CFWheels? If so, how do you have it installed / configured to work
harmoniously with CFWheels?
Thanks,
~ Ben
Ben Riordan
Any idea as to how much / what runs before onrequeststart.cfm?
~ Ben
On Dec 28, 6:08 am, Alfredo Baraldi <alfredo.bara...@gmail.com> wrote:
> I asked Pete of Foundeo this question some days ago, but I could see that
> it only works with the latest versions of wheels, does not work with
> version 1.0.6 and earlier.
> His response is below:
>
> Hi Alfredo,
>
> This line of the code needs to be in onRequestStart
>
> <cfset application.fuseguard.processRequest()>
>
> The rest of it can stay in the onApplicationStart
>
> Please note that with this implementation there will be wheels code
> that runs before FuseGuard runs, so you may need to edit the
> wheels/events/ files to provide a better implementation.
>
> Thanks, and please don't hesitate to ask if you have any further questions.
>
> --
> Pete Freitag - Adobe Community Professionalhttp://foundeo.com/- ColdFusion Consulting & Productshttp://petefreitag.com/- My Bloghttp://hackmycf.com- Is your ColdFusion Server Secure?
>
> On Sat, Dec 10, 2011 at 9:29 AM, Foundeo <cont...@foundeo.com> wrote:
> > From: Alfredo (ad...@wetradetogether.com)
> > ================================================================
> > I have received proof of your sw version, but unfortunately I had
> problems.
> > I keep getting this nessage: Request not allowed. Please contact the
>
> administrator for assistance. Please Continue to the Home Page.
>
> > I'm Using the framework CFWheels and coldfusion 9
> > I tried all the configurations, but with only 'BaseConfigurator' I can
>
> see the site, but obviously this can happen with this configuration because
> no control is applied.
>
> > thanks
>
> > Alfredo Baraldi
> > wetradetogether.com
> > ad...@wetradetogether.com
> > This is the code in the script of onapplicationstart.cfm cfwheels
>
> > <cfif NOT IsDefined("application.fuseguard") OR
>
> application.fuseguard.shouldReInitialize()>> <cfinvoke component="fuseguard.components.firewall" method="init"
>
> returnvariable="application.fuseguard">> <cfinvokeargument name="configurator"
>
> value="BaseConfigurator">
>
> > </cfinvoke>
> > </cfif>
> > <cfset application.fuseguard.processRequest()>
> > ================================================================
> > Referring URL:http://foundeo.com/contact/
>
> 2011/12/28 Troy Murray <troy.mur...@gmail.com>
>
>
>
>
>
>
>
> > I asked Pete of Foundeo this question earlier this year, and yes you can
> > use it with CFWheels (although I'm not currently). His response is below:
>
> > ---
> > You can run FuseGuard on cfwheels by doing the following:
>
> > 1) Copy /fuseguard/ folder into your webroot
> > 2) Edit /events/onrequeststart.cfm (this is part of CFWheels) and place
> > the FuseGuard code in there, eg:
>
> > <cfif NOT IsDefined("application.fuseguard") OR
> > application.fuseguard.shouldReInitialize()>
> > <cfinvoke component="fuseguard.components.firewall"
> > method="init" returnvariable="application.fuseguard">
> > <cfinvokeargument name="configurator" value="DefaultConfigurator">
> > </cfinvoke>
> > </cfif>
> > <cfset application.fuseguard.processRequest()>
>
> > Note that to run the fuseguard manager you might need to create an
> > Application.cfc file of it's own so it doesn't run inside of wheels.
>
> > --
> > HTH
>
> > On Wed, Dec 28, 2011 at 4:52 AM, Ben Riordan <ben.rior...@gmail.com>wrote:
>
> >> Is anyone using FuseGuard,http://foundeo.com/security/, with
> >> harmoniously with CFWheels?
>
> >> Thanks,
>
> >> ~ Ben
>
> >> You received this message because you are subscribed to the Google Groups
> >> "ColdFusion on Wheels" group.
> >> To post to this group, send email to cfwh...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> cfwheels+u...@googlegroups.com.
> >> For more options, visit this group at
> >>http://groups.google.com/group/cfwheels?hl=en.
>
> > --
> > *Troy Murray*
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "ColdFusion on Wheels" group.
> > To post to this group, send email to cfwh...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > cfwheels+u...@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/cfwheels?hl=en.
Ben Riordan
exposed "outside" of fusegrid. On a view request onrequeststart.cfm
activates fusegrid and then all of the view / controller content is
run after / "inside" fusegrid? Is that a correct analysis?
Thanks,
~ Ben
On Dec 28, 8:47 am, Ben Riordan <ben.rior...@gmail.com> wrote:
> Thanks very much to both of you - exactly what I was looking for.
>
> Any idea as to how much / what runs before onrequeststart.cfm?
>
> ~ Ben
>
> On Dec 28, 6:08 am, Alfredo Baraldi <alfredo.bara...@gmail.com> wrote:
>
>
>
>
>
>
>
> > I asked Pete of Foundeo this question some days ago, but I could see that
> > it only works with the latest versions of wheels, does not work with
> > version 1.0.6 and earlier.
> > His response is below:
>
> > Hi Alfredo,
>
> > This line of the code needs to be in onRequestStart
>
> > <cfset application.fuseguard.processRequest()>
>
> > The rest of it can stay in the onApplicationStart
>
> > Please note that with this implementation there will be wheels code
> > that runs before FuseGuard runs, so you may need to edit the
> > wheels/events/ files to provide a better implementation.
>
> > Thanks, and please don't hesitate to ask if you have any further questions.
>
> > --
Per Djurner
by making sure everything was properly cfqueryparamed.
"The only solution would be to parse the strings the user provides
every time for syntax accuracy".
That is in fact what's being done (or should have been done anyway).
I think way back Wheels simply failed when it was passed something unknown.
It was an ugly failure with usually very cryptic error messages but it
was better than allowing it to go through at least.
On Thu, Dec 29, 2011 at 8:37 PM, Donald Humphreys
<dhumph...@gmail.com> wrote:
> It could possibly be done, although I don't see an obvious solution.
> The original idea I'm sure was to give flexibility in query syntax
> entered by the user. Unfortunately there is no way to tell in the
> model if the where condition was from the programmer or interpolated
> before being passed in. The only solution would be to parse the
> strings the user provides every time for syntax accuracy. In cfrel,
> protection against this problem is a side effect of parsing the
> strings for column mapping. However, this is too complex of a method
> to be implemented in the core at this time. I will have to think more
> about this and how to fix it.
>
> On Thu, Dec 29, 2011 at 2:23 PM, Per Djurner <per.d...@gmail.com> wrote:
>> I think you're right, Don.
>> That's certainly something that needs to be looked at.
>> It should be cfqueryparam or nothing at all in terms of what gets sent
>> to the database adapter.
>>
>> Contact me off list if you need any help with it.
>>
>> / Per
>>
>> On Thu, Dec 29, 2011 at 6:10 PM, Don Humphreys <dhumph...@gmail.com> wrote:
>>> Per,
>>>
>>> It is true that cfqueryparam is used. But isn't it also true that when a non-standard expression is passed, wheels just runs it as is? And strings from the params are always interpolated into where= regardless of their content. This could potentially be a big security hole if all of that is true, since the wheels regex would never match a hack string.
>>>
>>> Don
>>>
>>> Sent from my iPhone
>>>
>>> On Dec 29, 2011, at 8:46 AM, Per Djurner <per.d...@gmail.com> wrote:
>>>
>>>> I guess what I'm not understanding is how that could happen through
>>>> Wheels given that it always uses cfqueryparam.
>>>> Were you able to trace down which type of queries that the attack was made on?
>>>>
>>>> On Thu, Dec 29, 2011 at 2:29 PM, Alfredo Baraldi
>>>> <alfredo...@gmail.com> wrote:
>>>>> Yes, it's true.
>>>>>
>>>>>
>>>>>
>>>>> 2011/12/29 Per Djurner <per.d...@gmail.com>
>>>>>>
>>>>>> I was just referring to your own situation, you said that 10GB had
>>>>>> been destroyed on your server, right?
>>>>>>
>>>>>> On Thu, Dec 29, 2011 at 12:55 PM, Alfredo Baraldi
>>>>>> <alfredo...@gmail.com> wrote:
>>>>>>> I refer to this post:
>>>>>>>
>>>>>>> http://groups.google.com/group/cfwheels/browse_thread/thread/62bdfb483e50c749/f9309fe45fb39c91?hl=en&lnk=gst&q=foundeo
>>>>>>>
>>>>>>> Could I misinterpreted the meaning?
>>>>>>>
>>>>>>> -Alfredo
>>>>>>>
>>>>>>>
>>>>>>> 2011/12/29 Per Djurner <per.d...@gmail.com>
>>>>>>>>
>>>>>>>> "lilupophilupop destroyed 10GB of data on our server MSSQL"
>>>>>>>>
>>>>>>>> Just curious, was that through Wheels?
>>>>>>>>
>>>>>>>> The Wheels ORM uses cfqueryparam which should have protected you :O
>>>>>>>> Maybe it was through Wheels but on normal cfquery tags (with no
>>>>>>>> cfqueryparam)?
>>>>>>>>
>>>>>>>> / Per
>>>>>>>>
>>>>>>>> On Wed, Dec 28, 2011 at 7:05 PM, Alfredo Baraldi
>>>>>>>> <alfredo...@gmail.com> wrote:
>>>>>>>>> Previous Wheels versions from 1.0.6 have been attacked and thanks to
>>>>>>>>> the
>>>>>>>>> advice of Pete of Foundeo the problem seems solved.
>>>>>>>>> For more information
>>>>>>>>> lilupophilupop
>>>>>>>>> http://isc.sans.edu/diary.html?storyid=12127#comment
>>>>>>>>> For this reason, the interest was created, and also because
>>>>>>>>> "lilupophilupop"
>>>>>>>>> has destroyed destroyed 10GB of data on our server MSSQL
>>>>>>>>> -Alfredo
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2011/12/28 Yannick <bizon...@gmail.com>
>>>>>>>>>>
>>>>>>>>>> I was wondering why the interest in this product since wheels can
>>>>>>>>>> handle
>>>>>>>>>> the important security issue of sql injection and cross-site
>>>>>>>>>> scripting.
>>>>>>>>>>
>>>>>>>>>> Thanks for sharing your review.
>>>>>>>>>>
>>>>>>>>>> On Wed, Dec 28, 2011 at 1:19 PM, Alfredo Baraldi
>>>>>>>>>> <alfredo...@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>> I plan to investigate in the next few days, it is a task that I
>>>>>>>>>>> must
>>>>>>>>>>> carry on because I would buy the component. However, the trial
>>>>>>>>>>> version is
>>>>>>>>>>> encrypted and makes it more difficult to interpret. I will take
>>>>>>>>>>> care
>>>>>>>>>>> to
>>>>>>>>>>> inform on progress and if there were new from you let me know
>>>>>>>>>>>
>>>>>>>>>>> -Alfredo
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>>>>> Groups
>>>>>>>>>>> "ColdFusion on Wheels" group.
>>>>>>>>>>> To post to this group, send email to cfwh...@googlegroups.com.
>>>>>>>>>>> To unsubscribe from this group, send email to
>>>>>>>>>>> cfwheels+u...@googlegroups.com.
>>>>>>>>>>> For more options, visit this group at
>>>>>>>>>>> http://groups.google.com/group/cfwheels?hl=en.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Yannick Morin
>>>>>>>>>> Co-founder of bizonbytes.com
Pete Freitag
> I was wondering why the interest in this product since wheels can handle
Hi Yannick,
FuseGuard defends against more than just SQL Injection and cross site
scripting, for example if you had FuseGuard running the directory
traversal filter would have protected you from this recent issue in
the wheels core: http://cfwheels.org/blog/security-fixes-for-1-1-7-and-1-0-6-released/
Also I'm curious what XSS protection wheels offers - if anyone has a
link I'd like to read up on it.
I'll be doing a blog post on running FuseGuard in wheels soon, but if
anyone needs assistance feel free to let me know on or off list.
Thanks!
--
Pete Freitag
http://foundeo.com/ - ColdFusion Products & Services
http://www.petefreitag.com/ - My Blog
http://www.youtube.com/watch?v=ubESB87vl5U - 10 Min FuseGuard Video
Tutorial
Troy Murray
--
You received this message because you are subscribed to the Google Groups "ColdFusion on Wheels" group.
To post to this group, send email to cfwh...@googlegroups.com.
To unsubscribe from this group, send email to cfwheels+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cfwheels?hl=en.
Troy Murray
Alfredo Baraldi
His response is below:
Hi Alfredo,
This line of the code needs to be in onRequestStart
<cfset application.fuseguard.processRequest()>
The rest of it can stay in the onApplicationStart
Please note that with this implementation there will be wheels code
that runs before FuseGuard runs, so you may need to edit the
wheels/events/ files to provide a better implementation.
Thanks, and please don't hesitate to ask if you have any further questions.
--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting & Products
http://petefreitag.com/ - My Blog
On Sat, Dec 10, 2011 at 9:29 AM, Foundeo <con...@foundeo.com> wrote:
> From: Alfredo (ad...@wetradetogether.com)
> ================================================================
> I have received proof of your sw version, but unfortunately I had problems.
> I keep getting this nessage: Request not allowed. Please contact the administrator for assistance. Please Continue to the Home Page.
>
> I'm Using the framework CFWheels and coldfusion 9
> I tried all the configurations, but with only 'BaseConfigurator' I can see the site, but obviously this can happen with this configuration because no control is applied.
>
> thanks
>
> Alfredo Baraldi
> wetradetogether.com
> ad...@wetradetogether.com
> This is the code in the script of onapplicationstart.cfm cfwheels
>
> <cfinvoke component="fuseguard.components.firewall" method="init" returnvariable="application.fuseguard">
> </cfinvoke>
> </cfif>
> <cfset application.fuseguard.processRequest()>
> ================================================================
> Referring URL: http://foundeo.com/contact/
Alfredo Baraldi
Yannick
I plan to investigate in the next few days, it is a task that I must carry on because I would buy the component. However, the trial version is encrypted and makes it more difficult to interpret. I will take care to inform on progress and if there were new from you let me know
-Alfredo
--
You received this message because you are subscribed to the Google Groups "ColdFusion on Wheels" group.
To post to this group, send email to cfwh...@googlegroups.com.
To unsubscribe from this group, send email to cfwheels+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cfwheels?hl=en.
Alfredo Baraldi
For more information
lilupophilupop
http://isc.sans.edu/diary.html?storyid=12127#comment
-Alfredo
I was wondering why the interest in this product since wheels can handle the important security issue of sql injection and cross-site scripting.
Per Djurner
Just curious, was that through Wheels?
The Wheels ORM uses cfqueryparam which should have protected you :O
Maybe it was through Wheels but on normal cfquery tags (with no cfqueryparam)?
/ Per
On Wed, Dec 28, 2011 at 7:05 PM, Alfredo Baraldi
Alfredo Baraldi
Could I misinterpreted the meaning?
-Alfredo
"lilupophilupop destroyed 10GB of data on our server MSSQL"
Per Djurner
been destroyed on your server, right?
On Thu, Dec 29, 2011 at 12:55 PM, Alfredo Baraldi
Alfredo Baraldi
I was just referring to your own situation, you said that 10GB had
Per Djurner
Wheels given that it always uses cfqueryparam.
Were you able to trace down which type of queries that the attack was made on?
On Thu, Dec 29, 2011 at 2:29 PM, Alfredo Baraldi
Alfredo Baraldi
<cffunction name="sqlSafe" access="public" returntype="string" output="false">
<cfargument name="strVal" required="true">
<cfscript>
var sqlList = "',%";
var replacementList = "'',\%";
return trim(replaceList( strVal , sqlList , replacementList ));
</cfscript>
<cfreturn retStr>
</cffunction>
Troy Murray
Alfredo Baraldi
The version was 1.0.1 updated to 1.0.6 today
Alfredo Baraldi
Don Humphreys
It is true that cfqueryparam is used. But isn't it also true that when a non-standard expression is passed, wheels just runs it as is? And strings from the params are always interpolated into where= regardless of their content. This could potentially be a big security hole if all of that is true, since the wheels regex would never match a hack string.
Don
Sent from my iPhone
On Dec 29, 2011, at 8:46 AM, Per Djurner <per.d...@gmail.com> wrote:
Per Djurner
That's certainly something that needs to be looked at.
It should be cfqueryparam or nothing at all in terms of what gets sent
to the database adapter.
Contact me off list if you need any help with it.
/ Per
On Thu, Dec 29, 2011 at 6:10 PM, Don Humphreys <dhumph...@gmail.com> wrote:
Donald Humphreys
The original idea I'm sure was to give flexibility in query syntax
entered by the user. Unfortunately there is no way to tell in the
model if the where condition was from the programmer or interpolated
before being passed in. The only solution would be to parse the
strings the user provides every time for syntax accuracy. In cfrel,
protection against this problem is a side effect of parsing the
strings for column mapping. However, this is too complex of a method
to be implemented in the core at this time. I will have to think more
about this and how to fix it.