Is there a document or web site with CF security best practices? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Mason Sent: Wednesday, August 01, 2007 4:58 PM To: [email protected] Subject: RE: [ACFUG Discuss] CF Service Account
The issue, as I remember, is how Jrun implements JAAS. Lib is actually open by default. Also bare in mind, I'm speaking of default settings here. Once again, the main point, is don't rely on Adobe/Microsoft to keep your site secure. You have to take additional precautions to secure your site and server John [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Wednesday, August 01, 2007 4:36 PM To: [email protected] Subject: Re: [ACFUG Discuss] CF Service Account If you are using sandbox security, which under the hood probably uses JAAS, this shouldn't be possible. Besides... who allows someone to write to the lib dir anyway? -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "I have always strenuously supported the right of every man to his own opinion, however different that opinion might be to mine. He who denies another this right makes a slave of himself to his present opinion, because he precludes himself the right of changing it." -- Thomas Paine, 1783 On Aug 1, 2007, at 4:34 PM, John Mason wrote: > You're right and it's been post a few years ago so it's not news > really. > This is one of the reasons I wish CF was more open source to begin > with, but here you guys go. If you have cfobject (java) enabled, this > script simply writes and compiles a java class in the lib directory. > This then opens up the ability to do other things. This dates back to > when CF made the jump into java. I believe this is more an issue with > Jrun4 really than CF. > > http://securitytracker.com/alerts/2004/Oct/1011475.html > > John > [EMAIL PROTECTED] > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. > Saxe > Sent: Wednesday, August 01, 2007 3:32 PM > To: [email protected] > Subject: Re: [ACFUG Discuss] CF Service Account > > Well the point is really you can't secure what you don't know about. > CF can be a very secure platform if you know how to secure it and > write secure code on top of it. Hiding details on security > vulnerabilities does nothing to help the situation, the blackhats know > the details and the rest of us are left to defend ourselves. > > Honestly, I'm too lazy (er, busy!) right now to go look up the > specifics on this vulnerability that is mentioned here... > > -dhs > > > Dean H. Saxe, CISSP, CEH > [EMAIL PROTECTED] > "What is objectionable, what is dangerous about extremists is not that > they are extreme, but that they are intolerant." > -- Robert F. Kennedy, 1964 > > > On Aug 1, 2007, at 3:28 PM, Kevin wrote: > >> "Security by obscurity is not a good mechanism... let everyone see." >> >> Yes really... >> Thats what MS does... Hide everything so you cant see the holes? >> >> This community may find out your NOT as secure as you thought? >> >> >> >> On 8/1/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote: >>> Security by obscurity is not a good mechanism... let everyone see. >>> >>> -dhs >>> >>> >>> Dean H. Saxe, CISSP, CEH >>> [EMAIL PROTECTED] >>> "What is objectionable, what is dangerous about extremists is not >>> that they are extreme, but that they are intolerant." >>> -- Robert F. Kennedy, 1964 >>> >>> >>> On Aug 1, 2007, at 3:24 PM, John Mason wrote: >>> >>> Dean, I'll need to email you off list after the meeting. I naturally >>> don't like sharing that stuff in the open for everyone to see. >>> >>> For everyone out there - needless to say, don't just depend on the >>> CF level of security. Security should always include multiple >>> layers. >>> Otherwise it >>> won't hold up very well. >>> >>> John Mason >>> [EMAIL PROTECTED] >>> 770.337.8363 >>> >>> www.FusionLink.com - ColdFusion and Flex hosting Now offering >>> ColdFusion 8 Enterprise hosting FREE Subversion hosting >>> >>> ________________________________ >>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. >>> Saxe >>> Sent: Wednesday, August 01, 2007 3:17 PM >>> To: [email protected] >>> Subject: Re: [ACFUG Discuss] CF Service Account >>> >>> Sandbox security is fine when it is backed up by OS-level security. >>> >>> What hack do you refer to? That's a new one on me. >>> >>> -dhs >>> >>> >>> Dean H. Saxe, CISSP, CEH >>> [EMAIL PROTECTED] >>> "[U]nconstitutional behavior by the authorities is constrained only >>> by the peoples' willingness to contest them" >>> --John Perry Barlow >>> >>> >>> On Aug 1, 2007, at 3:12 PM, John Mason wrote: >>> >>> There's some, but there's a known remote java class hack to get >>> around it. >>> I'm testing CF8 for this issue. Bluedragon doesn't have this issue >>> by the way. For a lot of things sandboxing is certainly good if >>> people would just use it ;) But if you have COM objects on and CF is >>> running under the local service account. Which a lot of people do >>> for some reason. You can pretty much do anything you want to a >>> server. Taking CF off local service account achieves a lot of known >>> security issues out right and it's easy to implement. That's why I >>> jump on that whenever possible. >>> John Mason >>> [EMAIL PROTECTED] >>> 770.337.8363 >>> www.FusionLink.com - ColdFusion and Flex hosting Now offering >>> ColdFusion 8 Enterprise hosting FREE Subversion hosting >>> >>> ________________________________ >>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie >>> Arehart >>> Sent: Wednesday, August 01, 2007 2:59 PM >>> To: [email protected] >>> Subject: RE: [ACFUG Discuss] CF Service Account >>> >>> >>> No value in the resource/sandbox security? :-) /charlie >>> >>> ________________________________ >>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob >>> Saxon >>> Sent: Wednesday, August 01, 2007 2:05 PM >>> To: [email protected] >>> Subject: RE: [ACFUG Discuss] CF Service Account >>> >>> >>> >>> >>> Thank you John and Dean for your feedback. The CF script needs to >>> write the contents of a web form to a folder on another server so >>> that an application on that server can read in the form results. >>> >>> >>> ------------------------------------------------------------- >>> Annual Sponsor - Figleaf Software >>> >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists Archive @ >>> http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink >>> ------------------------------------------------------------- >>> ------------------------------------------------------------- >>> Annual Sponsor - Figleaf Software >>> >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists Archive @ >>> http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink >>> ------------------------------------------------------------- >>> >>> ------------------------------------------------------------- >>> Annual Sponsor - Figleaf Software >>> >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists Archive @ >>> http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink >>> ------------------------------------------------------------- >>> >> >> >> -- >> <K /> >> >> "A government big enough to give you everything you want, is strong >> enough to take everything you have." >> -Thomas Jefferson >> >> "If your a horse, and someone gets on you, and falls off, and then >> gets right back on you; I think you should buck him off right away." >> -Todays deep thoughts >> >> "The winner in any meeting is the one with the highest caffeine >> resistance and bladder capacity" -Roger Wright >> >> >> ------------------------------------------------------------- >> Annual Sponsor FigLeaf Software - http://www.figleaf.com >> >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform >> >> For more info, see http://www.acfug.org/mailinglists Archive @ >> http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by http://www.fusionlink.com >> ------------------------------------------------------------- >> >> >> > > > > ------------------------------------------------------------- > Annual Sponsor FigLeaf Software - http://www.figleaf.com > > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists Archive @ > http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > > > > ------------------------------------------------------------- > Annual Sponsor FigLeaf Software - http://www.figleaf.com > > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists Archive @ > http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
