i don't think anyone can predict whether or not your server security will be
compromised in the next month.
-----Original Message-----
From: freddy [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 12, 2001 8:18 AM
To: CF-Talk
Subject: Re: Important ColdFusion Security Patch Released Today
I have a fairly unique situation here. Our cf server has very limited
access rights. It cannot write any files at all
anywhere on our servers. In this case how would it be possible to exploit
the security hole? We have a subscription to
cf and are going to be upgrading asap but are currently in the process of a
complete site personalization rollout that
will :
A: Put a much heavier load on the cf server than it already has. So adding a
possible 8% reduction in performance is not
an option.
B: Not allow me to upgrade untill it has been found to be working well
enough in the current evironment.
I would like to wait till I can upgrade to 5.0 (about a month) before doing
anything... does this sound safe?
Thanks,
Frederic
Debbie Dickerson wrote:
> Michael,
>
> Your issue sounds more like a known bug with Studio. It was related to
> version Studio 4.5.0, and a hotfix was created for it. The fix is in the
> knowledge base at
> http://www.allaire.com/Handlers/index.cfm?ID=13852&Method=Full
>
> Debbie
> Macromedia
>
> -----Original Message-----
> From: Jackson Moore [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 12, 2001 8:40 AM
> To: CF-Talk
> Subject: Re: Important ColdFusion Security Patch Released Today
>
> Michael
>
> I don't know if it is related, but I (and a few other developers I
> know) have had the "0 byte file" issue hit us. Here was the
> scenario:
>
> Edit a .cfm file in CF Studio. Save file in CF Studio. Refresh
> browser to verify updates. Very, very seldom, we get an error from
> the CF Server that it can not read files that are 0 bytes in size.
> If I go back to studio, the file is still there. However, if I close
> the file (won't get prompted to save since it was already saved), the
> file is lost and I have to restore from a backup.
>
> You can imagine that the first time this showed up, everyone thought
> I was crazy and told me I had just accidentally overwritten the file
> myself with an empty file. These guys let me hear about it for
> weeks!
>
> Then a few weeks later it happened again. At first we blamed it on
> studio, then we blamed it on the network. Then it happened to
> another developer. You can imagine my relief (vindicated!) when I
> wasn't the only one who had been bit by this.
>
> Without more details from MM, I can't know for sure if this is the
> same issue addressed by their recent patch, but if it is, that means
> that CF Server was overwriting the file with a 0 byte file after I
> had successfully saved it from studio.
>
> Any thoughts?
>
> Jackson Moore
> [EMAIL PROTECTED]
>
> On Wed, 11 Jul 2001 15:35:45 -0400, Michael Dinowitz wrote:
> >Without going into details on my investigations yet, does anyone
> >know of
> >anyone being attacked by this hole? Has anyone found their documents
> >either
> >deleted or replaced with a 0 byte file? If so, please contact me. I
> >think I
> >know what the hole is and just need some extra 'leg work'.
> >
> >
> >>
> >> From: "Howie Hamlin" <[EMAIL PROTECTED]>
> >>
> >> >> 2) the nature of the security problem - obviously MM is going
> >>for
> >> >> security-thru-obscurity and is not going to describe the exact
> >>problem,
> >but
> >> >> some clue as to the possible effects, how to tell if the
> >>weakness has
> >been
> >> >> taken advantage of, etc would be helpful
> >> >>
> >> >
> >> >No idea...in a way it's better that they don't point out the
> >vulnerability.
> >>
> >> And in a way it is far worse - since while we are 'closing the
> >>door' on
> >> a bug, without more details, how can we tell if someone has taken
> >advantage
> >> of that open door on our system?
> >> --
> >> Never apply a Star Trek solution to a Babylon 5 problem.
> >> Larry W. Virden <mailto:[EMAIL PROTECTED]> <URL:
> >http://www.purl.org/NET/lvirden/>
> >> Even if explicitly stated to the contrary, nothing in this posting
> >>should
> >> be construed as representing my employer's opinions.
> >> -><-
> >>
> >>
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
