tracker issue : CF-4126712

select a category, or use search below
(searches all categories and all time range)
Title:

Enhancement Request: OnSecurityBreach Handler for Application.cfc

| View in Tracker

Status/Resolution/Reason: Closed/Won't Fix/

Reporter/Name(from Bugbase): Travis Walters / Travis Walters (Travis Walters)

Created: 03/09/2016

Components: Security

Versions: 2016

Failure Type: Unspecified

Found In Build/Fixed In Build: Alpha_v12 /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Win All

Vote Count: 1

While most security risks -should- be taken care of during development, it is possible that some may get overlooked even with the new Security Analyzer. Perhaps the programmer is just lazy and just wants to do enough to get by - who knows? 

Anyway, how about we have an option to raise a new event in the Application.cfc file called OnSecurityBreach that could handle attacks of various types? 

For example, if somebody is passing in a URL variable which contains some content like DELETE, INSERT INTO, UPDATE and that URL variable is found within a CFQUERY tag without using CFQUERYPARAM, that is a pretty obvious security threat. It would be extremely nice if we could setup an event handler in the Application.cfc file to handle these circumstances. 

The OnSecurityBreach should have some information passed into it such as the type of security error, some sort of message, etc.

Feel free to expand on this idea if you'd like.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126712

External Customer Info:
External Company:  
External Customer Name: Travis Walters
External Customer Email: TWALTERS84@HOTMAIL.COM
External Test Config:

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: State newValue: Closed oldValue: Open oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:17:39.0 action: updated fieldName: Closed By newValue: vmannebo oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:17:39.0 action: updated fieldName: Owner newValue: Blank oldValue: rukumar oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:17:39.0 action: updated fieldName: Reason newValue: Blank oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:17:39.0 action: updated fieldName: Date Closed newValue: 2015-09-08 02:17:38.0 oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:17:39.0 action: updated fieldName: Status newValue: NeverFix oldValue: NeedsReview oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:17:39.0 action: updated fieldName: Owner newValue: rukumar oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-31 05:41:38.0 action: updated fieldName: Reason newValue: Blank oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-31 05:41:38.0 action: updated fieldName: Status newValue: NeedsReview oldValue: Unverified oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-31 05:41:38.0 action: updated fieldName: Dev Assigned newValue: rakshith oldValue: sanniset oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-31 05:41:38.0
Comment by CFwatson U.
3428 | March 09, 2016 04:44:45 AM GMT
Added By:vmannebo Note Added: It will not be be possible to detect a breach, so such an handler will not be possible. Date Added :2015-09-08 09:17:39.0 Added By: PreRelease User User Name:Travis Walters Note Added: Entered Feature. Date Added :2015-07-15 11:38:15.0
Comment by CFwatson U.
3429 | March 09, 2016 04:44:46 AM GMT