Yes, very malicious things can be done using console tools, especially if
you have CF running under the System account. That said, you can limit
access via a number of methods. First off, trust no one :) Seriously,
especially in development environments it is SO easy for a developer or
admin to accidentally create a backdoor to escalated permissions or
sensitive data. I would run CF under a non-System account, enable advanced
security in CF, and tweak your NT ACL's so that whatever console tool you
chose to use is severely limited in where it can go and what it can do. As
far as I know, there is no way of limiting what executables can be accessed
via the console except by individually limiting access to the executables or
directories for the particular account.
Steve
-----Original Message-----
From: Nicole R. Lane [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 03, 2000 6:41 PM
To: [EMAIL PROTECTED]
Subject: Executing DOS command & Security
Hello:
I need to execute a DOS command from within ColdFusion. After looking
over the archives, it seems like I have 3 possible solutions:
CFEXECUTE (if I upgrade to 4.5),
CFX_ShellExec, and
CFX_ConsoleCommand
Can someone enlighten me as to the security risks involved with each and
the pros vs cons? Would it be possible for someone to malicously
execute a "FORMAT" of the server hard drive using any of the above
options?
Thanks,
Nicole
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
