> Are you talking about permissions here? Disk permissions or > some type of IIS permissions? In any case, if you are running > windows, most services run under a system account (although > this has changed in windows 2003), and the system account > usually has access to execute in any directory. So if you > buffer overrun the service, then you can execute the files > wherever they are. Even if it's linux, you can probably run > a chmod on the files beforehand, and then execute, so > permissions are not going to help you much...
This is why it's so important not to run CF or similar services as SYSTEM. If I can run unauthorized code on your machine as SYSTEM, it's not your machine any more - it's mine. Filesystem access is irrelevant at that point. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:215993 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
