I don;t think anyone has said that the Cf installer should magically secure their applications, this is a whole different issue and no blame can be laid at Adobe's feet or the installer for poorly written code.
On Sat, Mar 29, 2014 at 2:23 PM, Dave Watts <dwa...@figleaf.com> wrote: > > > > > I also once had a client who did this, they were Linux heads who > thought > > > > that hiding the "sucky insecure windows/cf server" behind a linux > server > > > > and doing a reverse proxy would make it secure. > > > > > > There is no such thing as "make it secure", of course. But it is more > > > secure. It solves one specific security problem - preventing > > > executable code from being directly accessed from an untrusted > > > network. > > > > > > > But of course it didn't as everything still works the same way, the > SQL > > > > injections still got through, the insecure file upload forms still > > > > allowed > > > > files to be uploaded, which could then be executed as they had > cfexecute > > > > and cfregistry enabled. > > > > > > So what you're saying is that, despite the fact that the environment > > > was (more) secure by default, developers accidentally wrote > > > exploitable code? > > > > > > I have the feeling there's some lesson to be drawn from this. I wonder > > > what it is? > > > > A locked door is useless if you leave the windows open. > > I think we might be in agreement! But maybe for different reasons. > > Setting up application servers to be secure is hard. Ensuring that > application code doesn't contain vulnerabilities is hard. And you're > not going to be able to solve security problems with an installer. > People need to know what they're doing. They need to have a base level > of competence at their jobs. No installer in the world is going to > idiot-proof web applications. > > Dave Watts, CTO, Fig Leaf Software > 1-202-527-9569 > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358233 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
