On Tue, Mar 17, 2009 at 9:39 PM, Mark Mandel wrote:
>> > If I am right, I should also be disabling createObject for .NET, COM,
>> CORBA and Java, but are there any other functions I should disable?
>>
>> That should do it if you are just after security.
>
> If this is a CF8 Box, you can have createObject() for Java enabled, just
> remember to disable access to the ColdFusion components. This should
> mitigate access to things like the ServiceFactory, but still give your users
> access to the full functionality of Java.
There is a lot more that is dangerous in Java then just access to the
ColdFusion ServiceFactory. For instance, a user can use his regular
access to upload a batch file and a properties file, then use the Java
runtime exec() method to run the batch file. And lets suppose that
batch file overwrites the ColdFusion password.properties file with the
uploaded properties file. Then the user uses CreateObject("java",
"java.lang.Runtime").getRuntime().exit(1) to force a restart of
ColdFusion and suddenly the ColdFusion server uses the admin password
the user specified in the file he uploaded.
Without proper control over all aspects of reflection, inspection,
classloading and the runtime Java is unsafe in a shared hosting
environment.
Jochem
--
Jochem van Dieten
http://jochem.vandieten.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320659
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
