Generic security resources include www.owasp.org and www.wasc.org.
I'd look for a STiG on CF security, though I'm not sure one exists
from the NSA.
There have been many talks by folks like Dave Watts focused on
security of the server itself at various conferences, too.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Aug 1, 2007, at 5:00 PM, Rob Saxon wrote:
Is there a document or web site with CF security best practices?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Mason
Sent: Wednesday, August 01, 2007 4:58 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] CF Service Account
The issue, as I remember, is how Jrun implements JAAS. Lib is
actually open
by default. Also bare in mind, I'm speaking of default settings
here. Once
again, the main point, is don't rely on Adobe/Microsoft to keep
your site
secure. You have to take additional precautions to secure your site
and
server
John
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Wednesday, August 01, 2007 4:36 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] CF Service Account
If you are using sandbox security, which under the hood probably
uses JAAS,
this shouldn't be possible. Besides... who allows someone to write
to the
lib dir anyway?
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"I have always strenuously supported the right of every man to his own
opinion, however different that opinion might be to mine. He who
denies
another this right makes a slave of himself to his present opinion,
because
he precludes himself the right of changing it."
-- Thomas Paine, 1783
On Aug 1, 2007, at 4:34 PM, John Mason wrote:
You're right and it's been post a few years ago so it's not news
really.
This is one of the reasons I wish CF was more open source to begin
with, but here you guys go. If you have cfobject (java) enabled, this
script simply writes and compiles a java class in the lib directory.
This then opens up the ability to do other things. This dates back to
when CF made the jump into java. I believe this is more an issue with
Jrun4 really than CF.
http://securitytracker.com/alerts/2004/Oct/1011475.html
John
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Wednesday, August 01, 2007 3:32 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] CF Service Account
Well the point is really you can't secure what you don't know about.
CF can be a very secure platform if you know how to secure it and
write secure code on top of it. Hiding details on security
vulnerabilities does nothing to help the situation, the blackhats
know
the details and the rest of us are left to defend ourselves.
Honestly, I'm too lazy (er, busy!) right now to go look up the
specifics on this vulnerability that is mentioned here...
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that
they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Aug 1, 2007, at 3:28 PM, Kevin wrote:
"Security by obscurity is not a good mechanism... let everyone see."
Yes really...
Thats what MS does... Hide everything so you cant see the holes?
This community may find out your NOT as secure as you thought?
On 8/1/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
Security by obscurity is not a good mechanism... let everyone see.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Aug 1, 2007, at 3:24 PM, John Mason wrote:
Dean, I'll need to email you off list after the meeting. I
naturally
don't like sharing that stuff in the open for everyone to see.
For everyone out there - needless to say, don't just depend on the
CF level of security. Security should always include multiple
layers.
Otherwise it
won't hold up very well.
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting Now offering
ColdFusion 8 Enterprise hosting FREE Subversion hosting
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Wednesday, August 01, 2007 3:17 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] CF Service Account
Sandbox security is fine when it is backed up by OS-level security.
What hack do you refer to? That's a new one on me.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"[U]nconstitutional behavior by the authorities is constrained only
by the peoples' willingness to contest them"
--John Perry Barlow
On Aug 1, 2007, at 3:12 PM, John Mason wrote:
There's some, but there's a known remote java class hack to get
around it.
I'm testing CF8 for this issue. Bluedragon doesn't have this issue
by the way. For a lot of things sandboxing is certainly good if
people would just use it ;) But if you have COM objects on and
CF is
running under the local service account. Which a lot of people do
for some reason. You can pretty much do anything you want to a
server. Taking CF off local service account achieves a lot of known
security issues out right and it's easy to implement. That's why I
jump on that whenever possible.
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting Now offering
ColdFusion 8 Enterprise hosting FREE Subversion hosting
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie
Arehart
Sent: Wednesday, August 01, 2007 2:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] CF Service Account
No value in the resource/sandbox security? :-) /charlie
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob
Saxon
Sent: Wednesday, August 01, 2007 2:05 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] CF Service Account
Thank you John and Dean for your feedback. The CF script needs to
write the contents of a web form to a folder on another server so
that an application on that server can read in the form results.
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
--
<K />
"A government big enough to give you everything you want, is strong
enough to take everything you have."
-Thomas Jefferson
"If your a horse, and someone gets on you, and falls off, and then
gets right back on you; I think you should buck him off right away."
-Todays deep thoughts
"The winner in any meeting is the one with the highest caffeine
resistance and bladder capacity" -Roger Wright
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
