Jamie Price wrote: > > CFObject is insecure in v5.0 Correct.
> but with the advent of sandboxes I believe it was deemed safe in MX versions. > If you believe I'm mistaken on that point please let me know. I believe you are mistaken. If you allow cfobject, users can enumerate applications and sessions, access the cf administrator and who knows what else: http://tech.badpen.com/index.cfm?mode=entry&entry=3 http://spike.oli.tudelft.nl/jochemd/index.cfm?PageID=12 You will want to disable Java and COM. With CF 6.1 that means you need to disable all object access, with CF 7 you can disable just Java and COM. > Sandboxing isn't quite as simple as you make it out to be - it's not enough > to simply have access restricted to the webroot. You also need to implement > a host of other directories that CF needs access to for various reasons. > Here's an example from one of our servers running MX 7.0 > > c:\websites\DOMAIN_NAME\ Read,Write,Execute,Delete > c:\websites\DOMAIN_NAME\- Read,Write,Execute,Delete > c:\cfusionmx7\lib\updates Read > c:\cfusionmx7\lib\updates\- Read > c:\cfusionmx7\lib\cfxneo.dll Read > c:\cfusionmx7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp > Read > c:\cfusionmx7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\- > Read > c:\cfusionmx7\customtags\ Read,Execute > c:\cfusionmx7\customtags\- Read,Execute > c:\cfusionmx7\cfx\ Read > c:\cfusionmx7\cfx\- Read > c:\cfusionmx7\wwwroot\cfide Read > c:\cfusionmx7\wwwroot\cfide\- Read > c:\CFusionMX7\lib\vadmin.jar Read > c:\CFusionMX7\lib\verity.jar Read I don't see the objection against running c:\cfusionmx7 as Read. (But I do protect jvm.config against change using Windows ACLs.) Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207119 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
