> Correcting the installer won't solve all problems, but it should not be the > CAUSE of problems
The installer is installing an application server. Again, this is inherently dangerous, period, end of story. This particular installer sets up a web application that is needed to configure the server, and has to immediately function in order to complete the installation process. The web application is the source of nearly every CF vulnerability, and has been for many years. In addition, it's very easy to install that web application securely with just a little bit of knowledge, as I outlined previously. And hey! if you install CF 10 today, it gives you a little checkbox called "Secure Profile" which does exactly what you want! (Assuming that what you want is to limit access to the CF Administrator, disable RDS, require a complex password, disable debugging and detailed error messages, etc, etc.) I'm still not going to rely on that to secure access to CF Administrator, because I prefer to simply block access to it entirely from untrusted networks. But it seems to solve the specific problem you're complaining about. So, honestly, I'm not really sure what you're going on about, other than "administrators shouldn't be bothered to learn what they're doing". > "Hey sys admin, I'm going to make your day! Here's an app which we KNOW has > security issues and requires a lot of maintenance. You're going to have to > become an expert in this new technology, invest even more time patching it > and discover security leaks you won't even be informed about, it'll be your > job to tell the app vendor about that, too! Well, honestly, if you set it up correctly in the first place and followed the instructions in the lockdown guide where appropriate, you actually wouldn't have to worry nearly as much about patches. Given that the vast majority of CF vulnerabilities are in the CF Administrator specifically, if you configure access to that correctly you don't have to become an expert, spend a lot of time patching, or discovering security leaks. The same is true for EVERY PIECE OF SOFTWARE YOU EXPOSE TO UNTRUSTED NETWORKS. People used to expose database servers to the public. Whether a database server has known vulnerabilities or not, that's just a bad idea, and anyone who's installing a database server should know better. > In addition, the company that produces the application got hacked recently > and the hackers got a lot of user data. I'm not sure how that's all that important here. Adobe was not hacked through a CF vulnerability. If you want to find people using CF, you don't need to hack Adobe to get that. There are lots of people who have that data. Admittedly, if you want to find people who bought older versions of CF, that would be easier to get from Adobe, but that wouldn't tell you whether those people are still using CF or whether their servers were set up properly. In addition, that would have nothing to do with what you want Adobe to do now. To the best of my knowledge, Adobe does not possess a time machine, so they can't go back in time to fix problems in old installed systems other than by providing patches. I guess that it's a good thing that administrators don't have to worry about patching anything else. > But we developers, we're not worried about this because if our server gets > hacked (through widely published methods well known by the hacker community), > it's > all YOUR fault! I mean, it's not like you've got anything better to do, is > it?" > > *sound of running feet and screaming* I'd be interested to hear how security audits work in your organization. On second though, maybe not. If you think vulnerabilities don't exist for other products, through "widely published methods well known by the hacker community", I don't know what to tell you. If you install any application that will be exposed to untrusted networks, you are expected to apply basic due diligence. If you cannot do that, you should not be administering that system. And for CF, at least, it's easy to block the "widely published methods well known by the hacker community". Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358236 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
