Dave Watts wrote: > > Well, here's where it becomes tricky. I'll go back to my prior example, with > Matt and me sharing a server. Each has set permissions that keep the other > out, of course - Matt doesn't trust me as far as he can throw me, and I've > been putting on weight. However, we can both write code that runs on the > server. If either of us can figure out how to escalate our privileges to > root or Administrator or SYSTEM or whatever, then we'll be able to bypass > that pesky filesystem ACL limitation and read the other's files. > > So, Matt is still annoyed about how I read his database info from the > registry, and he decides to get even. Remembering that any CFML code that he > writes will run with the privileges of the CF service itself
Sandbox Security to the rescue. The code would run under the priviledges of the "www-Matt" user. > and that this > service must, by necessity, have read access to his files and mine, he has > many potential attack routes right there. On the other hand, I might then > use a privilege escalation of my own, by creating a batch file and getting > it "inadvertently" scheduled by the system schedule (which on Windows runs > as SYSTEM, of course). Sandbox Security to the rescue. Scheduling something requires administrator or system priviledges, which are unavailable to the "www-Dave" user. > Of course, our hosting provider must be getting mad by now. Then you have the wrong hosting provider :) > So, I'll stop > here, but this should give you a good idea of the difficulties that a shared > hosting provider must face. I haven't heard a scenario that scares me yet. But I haven't upgraded to CF MX either, and scenario's change a lot there. In fact, I haven't come up with any scenario under CF MX that does *not* scare me. Jochem ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
