> Adam Berry said:
> "The security bulletin explains the potential impact of the
> security issues. Since these issues were discovered through
> an internal audit, we decided not to publish explicit instructions
> for how to exploit the issues. "
>
> I'd like a more detailed explanation of the impact. Does the
> flaw allow an attacker to take actions using the security context
> the webserver runs in, or the one CF Server runs in? I personally
> don't allow CF Server to run as System, and the userid it gets
> has limited rights, so even if an attacker can run code using
> CF Server's process id the attacker can't change (very many)
> files. If the attacker can only run code in the webserver context,
> the effect depends on the webserver; IIS has to run as system,
> but Apache can run with very limited update rights, so there
> might not be much damage possible.
My guess is that, since this appears to be a problem with the API stub, the
security context at issue is either the web server user account (in IIS,
IUSR_MACHINENAME or the authenticated user), or the web service account
itself.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
