At the moment, if you use GetPageContext().include() on a JSP on my
SmarterLinux server you get a null pointer exception.
Regardless, 2 is the case and the code will run in the CF security
context of the calling page. The CF sandboxing takes over in this case.
Anyone can verify this on their own
I thought I posted this the other day, but it didn't update for some reason.
Here it is again:
Never let it be said that HostMySite.com doesn't listen to it's customers.
After much work we've been able to find a fix for the security issue that
allows safe execution of JSP and CF.
On our
James,
Can you send me an email ([EMAIL PROTECTED]) with your domain name? I'll
check on your server and see if it's misbehaving, and if so get it locked down
by the end of the day.
Well, this isn't the case on my SmarterLinux server. I can still browse,
download and view every file on the
Jochem,
Can you email me offlist with what you're interested in? [EMAIL PROTECTED]
Thanks!
So, security in a shared hosting environment isn't exactly a myth,
it just takes a little more work and flexibility. If anyone needs a
more technical explanation of what we did, please let me
Ok somehow I doubled the thread and made two. Sorry!
I thought I posted this the other day, but it didn't update for some
reason. Here it is again:
~|
Logware (www.logware.us): a new and convenient web-based time
We actually run two J2EE environments - JRun and Resin.
While JRun does handle the Java processing for ColdFusion,
Resin handles the requests for JSP pages and servlets.
What happens if you use getPageContext.include() from within a CFML page to
invoke a JSP page directly?
Good
dev server (as I have just done).
Since the server is sandboxed this is perfectly acceptable.
-Original Message-
From: Jamie Price [mailto:[EMAIL PROTECTED]
Sent: Saturday, 4 June 2005 3:11
To: CF-Talk
Subject: RE: Shared CF Host security
We actually run two J2EE environments - JRun
Don't ever let it be said that we don't listen to the voices of our clients.
:-) We've implemented a fix for this security issue that spans all of our
Linux servers running ColdFusion. Here's a synopsis from one of the techs
involved in implementing the change:
We actually run two J2EE
Don't ever let it be said that we don't listen to the voices of our
clients. :-)
and Jamie you are from what company?? ;-)
Bryan Stevenson B.Comm.
VP Director of E-Commerce Development
Electric Edge Systems Group Inc.
phone: 250.480.0642
fax: 250.480.1264
cell: 250.920.8830
e-mail: [EMAIL
Jamie Price wrote:
We actually run two J2EE environments - JRun and Resin. While JRun does
handle the Java processing for ColdFusion, Resin handles the requests for JSP
pages and servlets.
Java implements a security policy system that can prevent access. We have
implemented security
We actually run two J2EE environments - JRun and Resin.
While JRun does handle the Java processing for ColdFusion,
Resin handles the requests for JSP pages and servlets.
What happens if you use getPageContext.include() from within a CFML page to
invoke a JSP page directly?
Dave Watts, CTO,
Thanks for the post, Jamie. I actually have a SmarterLinux hosting
acct with you guys that runs my last-ditch server monitor for my
dedicated boxes. Not exactly top secret code but its nice to see you
guys make this effort, especially given how rare such effort is these
days.
--
@%*((%
From: Matt Robertson [EMAIL PROTECTED]
Sent: Thursday, June 02, 2005 7:06 PM
To: CF-Talk cf-talk@houseoffusion.com
Subject: Re: Shared CF Host security
Thanks for the post, Jamie. I actually have a SmarterLinux hosting
acct with you guys that runs my last-ditch server monitor for my
dedicated boxes
[mailto:[EMAIL PROTECTED]
Sent: Friday, 3 June 2005 7:04
To: CF-Talk
Subject: Re: Shared CF Host security
Thanks for the post, Jamie. I actually have a SmarterLinux hosting acct
with you guys that runs my last-ditch server monitor for my dedicated
boxes. Not exactly top secret code but its nice
Well, this isn't the case on my SmarterLinux server. I can still browse,
download and view every file on the server using JSP.
-Original Message-
From: Jamie Price [mailto:[EMAIL PROTECTED]
Sent: Friday, 3 June 2005 6:06
To: CF-Talk
Subject: Re: Shared CF Host security
Don't ever let
: Thursday, June 02, 2005 11:01 PM
To: CF-Talk cf-talk@houseoffusion.com
Subject: RE: Shared CF Host security
Well, this isn't the case on my SmarterLinux server. I can still browse,
download and view every file on the server using JSP.
-Original Message-
From: Jamie Price [mailto:[EMAIL
Jamie Price wrote:
CFObject is insecure in v5.0
Correct.
but with the advent of sandboxes I believe it was deemed safe in MX versions.
If you believe I'm mistaken on that point please let me know.
I believe you are mistaken. If you allow cfobject, users can
enumerate applications and
security for users and allows CF to
continue to run. I suspect that this will be as hard to maintain as
other solutions, but if you can do it then great.
-Original Message-
From: Jamie Price [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 12:35
To: CF-Talk
Subject: RE: Shared CF Host
On 5/19/05, Jochem van Dieten [EMAIL PROTECTED] wrote:
You will want to disable Java and COM. With CF 6.1 that means you
need to disable all object access, with CF 7 you can disable just
Java and COM.
There is currently a bug in CFMX7 sandboxing in that if you disable
COM it also
Ah sweet UNIX - no worry about COM, sandbox or not.
-Original Message-
From: Andy Allan [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 4:33
To: CF-Talk
Subject: Re: Shared CF Host security
On 5/19/05, Jochem van Dieten [EMAIL PROTECTED] wrote:
You will want to disable Java
I would definitely entertain using sandbox security to limit the database
access, I trust that you're already using it to limit cffile access?
On 5/18/05 10:10 PM, Jamie Price [EMAIL PROTECTED] wrote:
At this point in the discussion I'd like to invite anyone who knows of a
shared host WITH A
)
and others with the more relaxed JSP option, you take care of both sets
of needs and I stop whining like a child.
-Original Message-
From: Jamie Price [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 10:11
To: CF-Talk
Subject: RE: Shared CF Host security
At this point
Andy Allan wrote:
On 5/19/05, Jochem van Dieten [EMAIL PROTECTED] wrote:
You will want to disable Java and COM. With CF 6.1 that means you
need to disable all object access, with CF 7 you can disable just
Java and COM.
There is currently a bug in CFMX7 sandboxing in that if you disable
It's not that bad - you can still instantiate a CFC by using CFINVOKE on
a component that returns THIS. You just lose Java and COM.
-Original Message-
From: Calvin Ward [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 6:43
To: CF-Talk
Subject: Re: Shared CF Host security
The items
You will want to disable Java and COM. With CF 6.1 that means you
need to disable all object access, with CF 7 you can disable just
Java and COM.
Are you referring to simply disabling the createobject(Java) and
createobject(COM) CFML functions?
You could delete the JIntegra directory from the harddisk,
presumably that disables COM too :)
Actually, I'm not sure that would disable COM from CF. The stuff in that
directory consists mainly of helper and diagnostic applications. I suspect
you'd have to delete the jintegra.jar file within
I'm trying to test one of the scripts provided to my by Dave in a Windows
environ but I'm getting this error:
500 Translator.WrongCase/buddman/jspbrowser/browser.jspbrowser.jspBrowser.jsp
Translator.WrongCase/buddman/jspbrowser/browser.jspbrowser.jspBrowser.jsp
Can anyone tell me how to make
forget I said that - I figured it out. :-)
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try
this thread will only benefit us all.
~Dave the disruptor~
From: Jamie Price [EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 4:04 PM
To: CF-Talk cf-talk@houseoffusion.com
Subject: RE: Shared CF Host security
I'm trying to test one of the scripts provided
Excellent idea Dave
-Original Message-
From: dave [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 6:07 PM
To: CF-Talk
Subject: RE: Shared CF Host security
Mike D.
At this point I might make a suggestion that you completely delete this
thread before it gets googled.
We know
At this point I might make a suggestion that you completely
delete this thread before it gets googled.
We know about the problem and a solution is being
vigourously sought after but I see no point in having every
hacker online alerted to this until a solution is found.
IMO, removing
: Wednesday, 18 May 2005 1:07
To: CF-Talk
Subject: Re: Shared CF Host security
So what exactly is the security issue? Username/password set in the
datasource? Full access to the file system?
~|
Logware (www.logware.us): a new
James Holmes wrote:
A reasonable attempt at security would entail disabling JSP, disabling
CFOBJECT/createObject() and sandboxing datasources and files.
Or just sandboxing files and not setting datasource passwords in
the administrator.
Jochem
-Talk
Subject: Re: Shared CF Host security
James Holmes wrote:
A reasonable attempt at security would entail disabling JSP, disabling
CFOBJECT/createObject() and sandboxing datasources and files.
Or just sandboxing files and not setting datasource passwords in the
administrator.
Jochem
Has anyone approached Crystaltech or Host My Site directly about this
problem?
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 4:10 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Quite right, with properly configured local accounts
Two of us have approached HMS so far and I got the usual rubbish about
it's shared hosting so tough. They aren't going to fix it.
-Original Message-
From: Tim Laureska [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 5:39
To: CF-Talk
Subject: RE: Shared CF Host security
Has
Very comforting ... I'm sure CT would have a similar response maybe
its time to get a dedicated box
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 5:56 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Two of us have approached HMS so
Forget VPS? What could possibly make you say that?
VPS Accounts are *awesome*. VPS is the kind of hosting that I would want
as a developer if we didn't already offer it ourselves. And with prices
starting at $18 per month (the same price as most starter shared hosting
accounts) and the
Why would you not implement sandboxing? Seems there would be NO reason for
an hosting provider to not use it.
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 1:10 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Quite right
: Wednesday, May 18, 2005 2:39 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Has anyone approached Crystaltech or Host My Site directly about this
problem?
~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble
General laziness I guess, since that's what I'm experiencing right
now...
-Original Message-
From: Connie DeCinko [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 11:30
To: CF-Talk
Subject: RE: Shared CF Host security
Why would you not implement sandboxing? Seems there would
PROTECTED]
Sent: Wednesday, 18 May 2005 11:28
To: CF-Talk
Subject: Re: Shared CF Host security
Forget VPS? What could possibly make you say that?
VPS Accounts are *awesome*. VPS is the kind of hosting that I would want
as a developer if we didn't already offer it ourselves. And with prices
starting
And I thought HMS was the end-all, beat-all of shared hosting??? Is that
smoke I smell behind me?
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 2:56 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Two of us have approached HMS so
Time for a dedicated box?
-Original Message-
From: Connie DeCinko [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 11:34 AM
To: CF-Talk
Subject: RE: Shared CF Host security
All of my attempts with CT have fallen on deaf ears. They just keep
repeating that they checked all
: Shared CF Host security
Time for a dedicated box?
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware
Message-
From: Tim Laureska [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 8:54 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Time for a dedicated box?
~|
Find out how CFTicket can increase your
Speaking of CrystalTech, they have Windows *servers* for $80 monthly.
Anyone taken one of those on? Seems like a perfect mail server, and
if you add in BD instead and just don't use the mail server software
they give to you (which is good stuff BTW), its a cheapie CF server,
if your code can
You might as well look at other companies too, if you start looking at
dedicated servers:
http://www.serverbeach.com/
http://www.ev1servers.net/
Etc.
--
Damien McKenna - Web Developer - [EMAIL PROTECTED]
The Limu Company - http://www.thelimucompany.com/ - 407-804-1014
#include stdjoke.h
Serverbeach is a spammers haven.
-Original Message-
From: Damien McKenna [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 11:33 AM
To: CF-Talk
Subject: RE: Shared CF Host security
You might as well look at other companies too, if you start looking at
dedicated servers:
http
Connie DeCinko wrote:
Serverbeach is a spammers haven.
They were such a nuisance there is a separate DSBL dedicated
exclusively to Serverbeach: serverbeach.blackholes.us
Verifying the position of an ISP / hoster on spam is very
important if you care about your email reaching the recipient.
everyone on the server can read the code so I'm
screwed no matter what I do.
Do you mean any other customer on the same host?
You don't even have a protected area with FTP access?
I would say this is not even a host, this is like sleeping in the street.
--
I got $10 that says its the same on your server Claude.
~Dave the disruptor~
From: Claude Schneegans [EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 5:28 PM
To: CF-Talk cf-talk@houseoffusion.com
Subject: Re: Shared CF Host security
everyone
Dave... is the only way to beat this is get a dedicated box?... at least
if your with CT or HMS
Tim
-Original Message-
From: dave [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 6:54 PM
To: CF-Talk
Subject: Re: Shared CF Host security
I got $10 that says its the same on your
to try it and see.
~Dave the disruptor~
From: Tim Laureska [EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 7:12 PM
To: CF-Talk cf-talk@houseoffusion.com
Subject: RE: Shared CF Host security
Dave... is the only way to beat this is get a dedicated box
who has their own box to try it and see.
~Dave the disruptor~
From: Tim Laureska [EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 7:12 PM
To: CF-Talk cf-talk@houseoffusion.com
Subject: RE: Shared CF Host security
Dave... is the only way to beat this is get
Yep, I sent that article to HMS and their response was Disabling JSP is
not an option. Fantastic, basic security is not an option.
-Original Message-
From: Joel Nath [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 9:08
To: CF-Talk
Subject: RE: Shared CF Host security
Hi guys
11:21
To: CF-Talk
Subject: Re: Shared CF Host security
everyone on the server can read the code so I'm
screwed no matter what I do.
Do you mean any other customer on the same host?
You don't even have a protected area with FTP access?
I would say this is not even a host, this is like sleeping
@houseoffusion.com
Subject: RE: Shared CF Host security
Yep, I sent that article to HMS and their response was Disabling JSP is
not an option. Fantastic, basic security is not an option.
-Original Message-
From: Joel Nath [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 9:08
To: CF
[mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 9:25
To: CF-Talk
Subject: RE: Shared CF Host security
I would imagine that they should be using a seperate instance of jsp and
not cfm's jsp for those on jsp.
That makes no sense huh?? haha
~Dave the disruptor
At this point in the discussion I'd like to invite anyone who knows of a
shared host WITH A CLUE to give us all their details...
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start
At this point in the discussion I'd like to invite anyone who knows of a
shared host WITH A CLUE to give us all their details...
Dave alerted me to this thread and the problem with CFMX + JSP just today, so
I'm going to be investigating this as well on the HMS end. I can tell you that
the
with the more relaxed JSP option, you take care of both sets
of needs and I stop whining like a child.
-Original Message-
From: Jamie Price [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 10:11
To: CF-Talk
Subject: RE: Shared CF Host security
At this point in the discussion I'd like
I have to say I've had great luck with serverbeach - myself and a few
others chipped in and got ourselves a farily high-end server at an end
cost to me of under $50/month.
Only catch was that we had to cough up for software licenses.
On 5/18/05, Damien McKenna [EMAIL PROTECTED] wrote:
You might
But with JSP enabled I am broadcasting my username and password to
everyone on the server, as they can read my code.
Right - I was just trying to clarify that there were two separate issues at
hand there. The JSP one is definitely an issue; datasources on the other hand
run more to
Hi James,
There was a lengthly thread about this a few weeks ago, the archive has it at:
http://www.houseoffusion.com/cf_lists/messages.cfm/forumid:4/threadid:39776
Have a good one,
Joe
On 5/17/05, James Holmes [EMAIL PROTECTED] wrote:
While security can never be perfect in a shared hosting
shared hosting,
you're
not paying for security or safety, and any that you get is simply a
happy
coincidence.
Ain't that the truth.
-Original Message-
From: Joe Rinehart [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 9:14
To: CF-Talk
Subject: Re: Shared CF Host security
Hi James
,
you're
not paying for security or safety, and any that you get is simply a
happy
coincidence.
Ain't that the truth.
-Original Message-
From: Joe Rinehart [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 9:14
To: CF-Talk
Subject: Re: Shared CF Host security
Hi James
that wouldnt work because you can see the tags
~Dave the disruptor~
From: Joe Rinehart [EMAIL PROTECTED]
Sent: Tuesday, May 17, 2005 9:37 PM
To: CF-Talk cf-talk@houseoffusion.com
Subject: Re: Shared CF Host security
Aye, good advice.
Having used
Yes, that's my problem - everyone on the server can read the code so I'm
screwed no matter what I do.
-Original Message-
From: dave [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 9:45
To: CF-Talk
Subject: Re: Shared CF Host security
that wouldnt work because you can see
what I do.
-Original Message-
From: dave [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 9:45
To: CF-Talk
Subject: Re: Shared CF Host security
that wouldnt work because you can see the tags
~Dave the disruptor~
From: Joe
Since the host is HostMySite (Smarterlinux actually, but same deal) I
would have expected more, but I'm inclined to agree with you.
-Original Message-
From: Joe Rinehart [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 10:28
To: CF-Talk
Subject: Re: Shared CF Host security
Wow
I guess I'm trying to understand how your host can be so sloppy. I don't
recall ever being on a shared hosting environment that had that problem.
Forget VPS, get yourself a new host.
Rey..
James Holmes wrote:
While security can never be perfect in a shared hosting environment, am
I expecting
PROTECTED]
Sent: Tuesday, May 17, 2005 10:33 PM
To: CF-Talk cf-talk@houseoffusion.com
Subject: RE: Shared CF Host security
Since the host is HostMySite (Smarterlinux actually, but same deal) I
would have expected more, but I'm inclined to agree with you.
-Original Message-
From: Joe Rinehart
you wanna try this on your host and see what happens?
~Dave the disruptor~
From: Rey Bango [EMAIL PROTECTED]
Sent: Tuesday, May 17, 2005 10:34 PM
To: CF-Talk cf-talk@houseoffusion.com
Subject: Re: Shared CF Host security
I guess I'm trying
@houseoffusion.com
Subject: Re: Shared CF Host security
I guess I'm trying to understand how your host can be so sloppy. I don't
recall ever being on a shared hosting environment that had that problem.
Forget VPS, get yourself a new host.
Rey..
James Holmes wrote:
While security can never
sent off list
~Dave the disruptor~
From: Rey Bango [EMAIL PROTECTED]
Sent: Tuesday, May 17, 2005 10:51 PM
To: CF-Talk cf-talk@houseoffusion.com
Subject: Re: Shared CF Host security
Try what Dave? You have an example? I'd be glad to.
Rey...
dave wrote
btw~
I was wrong on this thread and publicaly I would like to apologize to James
for thinking he was being wacko :)
But again, if my distruptor wouldnt have gone off this might have gotten
passed over.
Again, James I'm sorry I doubted you and will never do so again ;)~
~Dave the
No need for apologies - I wouldn't have believed a host could be so lazy
either. I am wrong occasionally, you know (just not this time :-)
-Original Message-
From: dave [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 11:04
To: CF-Talk
Subject: Re: Shared CF Host security
btw
Message-
From: Rey Bango [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 10:51
To: CF-Talk
Subject: Re: Shared CF Host security
Try what Dave? You have an example? I'd be glad to.
Rey...
dave wrote:
you wanna try this on your host and see what happens?
~Dave the disruptor
in the url)
-Original Message-
From: Rey Bango [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 10:51
To: CF-Talk
Subject: Re: Shared CF Host security
Try what Dave? You have an example? I'd be glad to.
Rey...
dave wrote:
you wanna try this on your host and see what happens
So what exactly is the security issue? Username/password set in the
datasource? Full access to the file system?
- Original Message -
From: James Holmes [EMAIL PROTECTED]
To: CF-Talk cf-talk@houseoffusion.com
Sent: Tuesday, May 17, 2005 10:29 PM
Subject: RE: Shared CF Host security
81 matches
Mail list logo