> > Yes, CF runs under Local System. So CF has full system access. That's > > the danger from the applications on the server. What about an external > > attack -- what could be done, specifically? > > That really depends on what the applications do, and how well they're > written. An attacker can run those applications, and potentially > manipulate the inputs to those applications in a way that makes them > behave differently than you want them to.
Oh, and also: why don't you run CF with a less-privileged user account or security context? CF doesn't need to be SYSTEM to run, and can do well in most cases with significantly limited permissions and privileges. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352675 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
