True - I was just addressing common setups and scenarios. Most CF hosts and developers take advantage of storing the connection info in the CF Admin, to keep their <cfquery>'s shorter. And if your file system gets hacked, then you're hitting that red alert zone. But the "standard" setup, where credentials are stored in CF Admin, is insecure without even trying.
--- Billy Cravens -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 2:55 PM To: CF-Talk Subject: RE: Hacking" a shared SQL server > Most languages don't stored connection information in a > central repository - you have to provide credentials at > code time. You can do that in CF, of course - there's nothing forcing you to store them in the datasource settings. > Unless your file system is insecure (ie, everyone can see > everyone's code), other developers on that box would be > unable to connect to your database. Well, here's where it becomes tricky. I'll go back to my prior example, with Matt and me sharing a server. Each has set permissions that keep the other out, of course - Matt doesn't trust me as far as he can throw me, and I've been putting on weight. However, we can both write code that runs on the server. If either of us can figure out how to escalate our privileges to root or Administrator or SYSTEM or whatever, then we'll be able to bypass that pesky filesystem ACL limitation and read the other's files. So, Matt is still annoyed about how I read his database info from the registry, and he decides to get even. Remembering that any CFML code that he writes will run with the privileges of the CF service itself - and that this service must, by necessity, have read access to his files and mine, he has many potential attack routes right there. On the other hand, I might then use a privilege escalation of my own, by creating a batch file and getting it "inadvertently" scheduled by the system schedule (which on Windows runs as SYSTEM, of course). Of course, our hosting provider must be getting mad by now. So, I'll stop here, but this should give you a good idea of the difficulties that a shared hosting provider must face. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
