> -----Original Message----- > From: Adkins, Randy [mailto:[EMAIL PROTECTED] > Sent: Friday, October 07, 2005 9:09 AM > To: CF-Talk > Subject: RE: ColdFusion Security Holes - Best Practices > > Anyone can get the IP Address of the server, simply ping the domain > name.
That's only true if it's configured like that. In many enterprise environments public servers are only accessed via appliances (load balancers, site selectors, etc). These appliances allow "ping" but the servers do not. For example ping: "www.nefapps.nefn.com" - you'll get the IP address (and name) of the load-balancer but not address the server itself (actually there are several servers but you get the point). The ping doesn't complete because the ping port is firewall-blocked: you get the DNS lookup but never actually get to the server. Regardless CF is completely "securable" (at least as much as anything else in its class). But it does take some knowledge - which is why so many CF sites are insecure. MM could address at install (or later) with a "lockdown" script of sorts which would place a dummy server-wide error handler, disable debugging and error output, eliminate the sample code and so forth. In fact WE could do that as a community using the administrator API... a script which could be run to set secure CF admin settings (debugging, RDS, error handling, etc), check for security related patches and so forth. Another good idea I'll never do anything with. ;^) Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220365 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
