RE: [ACFUG Discuss] New CF Vulnerability - Check your servers
Yes, there are various issues like that which will now bite people who had not done any of the security fixes until this one. I've been meaning to do a blog entry to highlight them, but have just been too busy. /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Ajas Mohammed Sent: Monday, January 21, 2013 5:12 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] New CF Vulnerability - Check your servers Frank, I know PostParametersLimit is a different issue than the security fix, if thats what you were trying to imply. I meant that since the security fix is CUMULATIVE fix, we saw it for the first time after applying security fix(because we had not patched up our servers with earlier hotfixes/patches). So PostParametersLimit = No. of form fields, where as postSizeLimit = size in MB of how big the post Size (form) can get. Thanks, Ajas Mohammed / - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
I was wondering about people who are on CF 7/8. One of our server is still on CF 7. So apart from restricting public access to CFIDE admin folders, is there anything else that needs to be done for CF 7/8? I do know that this security fix by adobe tech note addresses versions CF 9.0, 9.0.1, 9.0.2 and CF 10. Thanks, Ajas Mohammed / iUseDropbox(http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Tue, Jan 22, 2013 at 7:31 PM, Charlie Arehart char...@carehart.orgwrote: Yes, there are various issues like that which will now bite people who had not done any of the security fixes until this one. I’ve been meaning to do a blog entry to highlight them, but have just been too busy. /charlie *From:* ad...@acfug.org [mailto:ad...@acfug.org] *On Behalf Of *Ajas Mohammed *Sent:* Monday, January 21, 2013 5:12 PM *To:* discussion@acfug.org *Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check your servers** ** ** ** Frank, I know PostParametersLimit is a different issue than the security fix, if thats what you were trying to imply. I meant that since the security fix is CUMULATIVE fix, we saw it for the first time after applying security fix(because we had not patched up our servers with earlier hotfixes/patches). So PostParametersLimit = No. of form fields, where as postSizeLimit = size in MB of how big the post Size (form) can get. Thanks, Ajas Mohammed / ** ** - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com -
RE: [ACFUG Discuss] New CF Vulnerability - Check your servers
For CF7, there are no new security hotfixes since 2008, but for CF8, there were new ones as late as Sep '12. See: http://www.adobe.com/support/security/#coldfusion /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Ajas Mohammed Sent: Tuesday, January 22, 2013 7:49 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] New CF Vulnerability - Check your servers I was wondering about people who are on CF 7/8. One of our server is still on CF 7. So apart from restricting public access to CFIDE admin folders, is there anything else that needs to be done for CF 7/8? I do know that this security fix by adobe tech note addresses versions CF 9.0, 9.0.1, 9.0.2 and CF 10. Thanks, Ajas Mohammed / iUseDropbox( http://db.tt/63Lvone9 http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Tue, Jan 22, 2013 at 7:31 PM, Charlie Arehart char...@carehart.org wrote: Yes, there are various issues like that which will now bite people who had not done any of the security fixes until this one. I've been meaning to do a blog entry to highlight them, but have just been too busy. /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Ajas Mohammed Sent: Monday, January 21, 2013 5:12 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] New CF Vulnerability - Check your servers Frank, I know PostParametersLimit is a different issue than the security fix, if thats what you were trying to imply. I meant that since the security fix is CUMULATIVE fix, we saw it for the first time after applying security fix(because we had not patched up our servers with earlier hotfixes/patches). So PostParametersLimit = No. of form fields, where as postSizeLimit = size in MB of how big the post Size (form) can get. Thanks, Ajas Mohammed / - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
Thanks Charlie. Congratulations on getting acknowledged by the security advisory. Ajas Mohammed / iUseDropbox(http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Tue, Jan 22, 2013 at 8:02 PM, Charlie Arehart char...@carehart.orgwrote: For CF7, there are no new security hotfixes since 2008, but for CF8, there were new ones as late as Sep ‘12. See: http://www.adobe.com/support/security/#coldfusion ** ** /charlie ** ** *From:* ad...@acfug.org [mailto:ad...@acfug.org] *On Behalf Of *Ajas Mohammed *Sent:* Tuesday, January 22, 2013 7:49 PM *To:* discussion@acfug.org *Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check your servers** ** ** ** I was wondering about people who are on CF 7/8. One of our server is still on CF 7. So apart from restricting public access to CFIDE admin folders, is there anything else that needs to be done for CF 7/8? I do know that this security fix by adobe tech note addresses versions CF 9.0, 9.0.1, 9.0.2 and CF 10. Thanks, Ajas Mohammed / iUseDropbox(http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. ** ** On Tue, Jan 22, 2013 at 7:31 PM, Charlie Arehart char...@carehart.org wrote: Yes, there are various issues like that which will now bite people who had not done any of the security fixes until this one. I’ve been meaning to do a blog entry to highlight them, but have just been too busy. /charlie *From:* ad...@acfug.org [mailto:ad...@acfug.org] *On Behalf Of *Ajas Mohammed *Sent:* Monday, January 21, 2013 5:12 PM *To:* discussion@acfug.org *Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check your servers** ** Frank, I know PostParametersLimit is a different issue than the security fix, if thats what you were trying to imply. I meant that since the security fix is CUMULATIVE fix, we saw it for the first time after applying security fix(because we had not patched up our servers with earlier hotfixes/patches). So PostParametersLimit = No. of form fields, where as postSizeLimit = size in MB of how big the post Size (form) can get. Thanks, Ajas Mohammed / ** ** - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - ** ** - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com -
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
Thanks Charlie for the detailed email. Yes, we are on 9.0 and we didnt upgrade to 9.0.1. We used hotfix jar for 9.0 as advised on the adobe page. It makes sense to protect those CFIDE folders you mentioned. One thing we did notice is that after the applying security hotfix, we started to get this error *coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server*. Quick google search led http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Formsme to this posthttp://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms. I ended up adding var name='postParametersLimit'number500.0/number/var to the {ColdFusion-Home}/lib/neo-runtime.xml for Server installation. I am guessing that we might have missed an earlier patch/hotfix in which Adobe introduced this postParametersLimit setting. We were surprised by error message in the beginning but since we had recently applied the security fix, we knew it had to do with fix. Thanks, Ajas Mohammed / http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Fri, Jan 18, 2013 at 7:07 PM, Charlie Arehart char...@carehart.orgwrote: :-) Thanks. I will note that they did just yesterday kindly add me to the acknowledgements section of the security advisory, a first for me. :-) Various issues caused the delay. Nothing nefarious. I got a call from someone on PSIRT explaining the situation. I was just happy to get the mention. The good news is that I’ve gotten “payment” by a burst of new business from people needing help with this. Of course, I posted the first two entries making no mention of my services. That really wasn’t my motivation. But come, the work has. And some of those have then realized I could help with other things, which has led to still more work, so it’s been all the more beneficial. Of course, it’s a bit like being a roofer after a tornado blows through. You don’t want to say you’re “glad for the work”, as you feel for people who were affected. I have a part 4/post mortem in the works, but sadly too busy to get time to write it up. Perhaps over the weekend. /charlie *From:* ad...@acfug.org [mailto:ad...@acfug.org] *On Behalf Of *Steve Ross *Sent:* Friday, January 18, 2013 10:17 AM *To:* ACFUG ColdFusion Discussion *Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check your servers** ** ** ** Adobe should be paying you Charlie... ** ** On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed ajash...@gmail.com wrote: Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all your help. Ajas Mohammed / - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com -
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
It was introduced in APSB12-06 released March of 2012. They introduced the setting, defaulted it to 100, but didn't update the Administrator to allow editing from the GUI so it must be added directly in the XML. http://www.adobe.com/support/security/bulletins/apsb12-06.html On Mon, Jan 21, 2013 at 3:42 PM, Ajas Mohammed ajash...@gmail.com wrote: Thanks Charlie for the detailed email. Yes, we are on 9.0 and we didnt upgrade to 9.0.1. We used hotfix jar for 9.0 as advised on the adobe page. It makes sense to protect those CFIDE folders you mentioned. One thing we did notice is that after the applying security hotfix, we started to get this error *coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server*. Quick google search led http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Formsme to this posthttp://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms. I ended up adding var name='postParametersLimit'number500.0/number/var to the {ColdFusion-Home}/lib/neo-runtime.xml for Server installation. I am guessing that we might have missed an earlier patch/hotfix in which Adobe introduced this postParametersLimit setting. We were surprised by error message in the beginning but since we had recently applied the security fix, we knew it had to do with fix. Thanks, Ajas Mohammed / http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Fri, Jan 18, 2013 at 7:07 PM, Charlie Arehart char...@carehart.orgwrote: :-) Thanks. I will note that they did just yesterday kindly add me to the acknowledgements section of the security advisory, a first for me. :-) Various issues caused the delay. Nothing nefarious. I got a call from someone on PSIRT explaining the situation. I was just happy to get the mention. The good news is that I’ve gotten “payment” by a burst of new business from people needing help with this. Of course, I posted the first two entries making no mention of my services. That really wasn’t my motivation. But come, the work has. And some of those have then realized I could help with other things, which has led to still more work, so it’s been all the more beneficial. Of course, it’s a bit like being a roofer after a tornado blows through. You don’t want to say you’re “glad for the work”, as you feel for people who were affected. I have a part 4/post mortem in the works, but sadly too busy to get time to write it up. Perhaps over the weekend. /charlie *From:* ad...@acfug.org [mailto:ad...@acfug.org] *On Behalf Of *Steve Ross *Sent:* Friday, January 18, 2013 10:17 AM *To:* ACFUG ColdFusion Discussion *Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check your servers* *** ** ** Adobe should be paying you Charlie... ** ** On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed ajash...@gmail.com wrote: Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all your help. Ajas Mohammed / - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - -- Dawn
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
Ajas, The PostParametersLimit is actually due to a different issue. (I was also hit with this one.) A brief note about it is here: http://arstechnica.com/business/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack/ Essentially, there is a dos attack possible by posting many parameters to a web page. Whenever you post multiple form elements to a webserver (with either POST or GET) It generates a hash in order to refer to them. /If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request./ I have read that when properly executed, this attack can cause a single page request to take over 1/2hour on a server without any other traffic. So in order to circumvent the problem, many platforms decided the easy way to stop the problem would be to not process any page that returns more than 100 form (or URL) parameters. Of course anyone that has a legitimate reason to have that many form fields needs to increase the maximum. In addition to Coldfusion, I know apache also has a default limit of 100 on any patched server. --Frank On 01/21/2013 03:42 PM, Ajas Mohammed wrote: Thanks Charlie for the detailed email. Yes, we are on 9.0 and we didnt upgrade to 9.0.1. We used hotfix jar for 9.0 as advised on the adobe page. It makes sense to protect those CFIDE folders you mentioned. One thing we did notice is that after the applying security hotfix, we started to get this error *coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server*. Quick google search led http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Formsme to this post http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms. I ended up adding var name='postParametersLimit'number500.0/number/var to the {ColdFusion-Home}/lib/neo-runtime.xml for Server installation. I am guessing that we might have missed an earlier patch/hotfix in which Adobe introduced this postParametersLimit setting. We were surprised by error message in the beginning but since we had recently appliedthe security fix, we knew it had to do with fix. Thanks, Ajas Mohammed / http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Fri, Jan 18, 2013 at 7:07 PM, Charlie Arehart char...@carehart.org mailto:char...@carehart.org wrote: :-) Thanks. I will note that they did just yesterday kindly add me to the acknowledgements section of the security advisory, a first for me. :-) Various issues caused the delay. Nothing nefarious. I got a call from someone on PSIRT explaining the situation. I was just happy to get the mention. The good news is that I’ve gotten “payment” by a burst of new business from people needing help with this. Of course, I posted the first two entries making no mention of my services. That really wasn’t my motivation. But come, the work has. And some of those have then realized I could help with other things, which has led to still more work, so it’s been all the more beneficial. Of course, it’s a bit like being a roofer after a tornado blows through. You don’t want to say you’re “glad for the work”, as you feel for people who were affected. I have a part 4/post mortem in the works, but sadly too busy to get time to write it up. Perhaps over the weekend. /charlie *From:*ad...@acfug.org mailto:ad...@acfug.org [mailto:ad...@acfug.org mailto:ad...@acfug.org] *On Behalf Of *Steve Ross *Sent:* Friday, January 18, 2013 10:17 AM *To:* ACFUG ColdFusion Discussion *Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check your servers Adobe should be paying you Charlie... On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed ajash...@gmail.com mailto:ajash...@gmail.com wrote: Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all your help. Ajas Mohammed / - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
Yeah, I hated that parameter and a lack of GUI to change it. When you have many servers to patch, it's annoying to have to edit this value in an XML file over and over again. I understand it's value, and I think it's a good thing - but they could have taken a few extra hours of dev time to mimic the behavior of 10 instead of just going half way. On 1/21/2013 1:51 PM, Dawn Hoagland wrote: It was introduced in APSB12-06 released March of 2012. They introduced the setting, defaulted it to 100, but didn't update the Administrator to allow editing from the GUI so it must be added directly in the XML. http://www.adobe.com/support/security/bulletins/apsb12-06.html On Mon, Jan 21, 2013 at 3:42 PM, Ajas Mohammed ajash...@gmail.com mailto:ajash...@gmail.com wrote: Thanks Charlie for the detailed email. Yes, we are on 9.0 and we didnt upgrade to 9.0.1. We used hotfix jar for 9.0 as advised on the adobe page. It makes sense to protect those CFIDE folders you mentioned. One thing we did notice is that after the applying security hotfix, we started to get this error *coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server*. Quick google search led http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Formsme to this post http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms. I ended up adding var name='postParametersLimit'number500.0/number/var to the {ColdFusion-Home}/lib/neo-runtime.xml for Server installation. I am guessing that we might have missed an earlier patch/hotfix in which Adobe introduced this postParametersLimit setting. We were surprised by error message in the beginning but since we had recently appliedthe security fix, we knew it had to do with fix. Thanks, Ajas Mohammed / http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Fri, Jan 18, 2013 at 7:07 PM, Charlie Arehart char...@carehart.org mailto:char...@carehart.org wrote: :-) Thanks. I will note that they did just yesterday kindly add me to the acknowledgements section of the security advisory, a first for me. :-) Various issues caused the delay. Nothing nefarious. I got a call from someone on PSIRT explaining the situation. I was just happy to get the mention. The good news is that I’ve gotten “payment” by a burst of new business from people needing help with this. Of course, I posted the first two entries making no mention of my services. That really wasn’t my motivation. But come, the work has. And some of those have then realized I could help with other things, which has led to still more work, so it’s been all the more beneficial. Of course, it’s a bit like being a roofer after a tornado blows through. You don’t want to say you’re “glad for the work”, as you feel for people who were affected. I have a part 4/post mortem in the works, but sadly too busy to get time to write it up. Perhaps over the weekend. /charlie *From:*ad...@acfug.org mailto:ad...@acfug.org [mailto:ad...@acfug.org mailto:ad...@acfug.org] *On Behalf Of *Steve Ross *Sent:* Friday, January 18, 2013 10:17 AM *To:* ACFUG ColdFusion Discussion *Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check your servers Adobe should be paying you Charlie... On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed ajash...@gmail.com mailto:ajash...@gmail.com wrote: Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all your help. Ajas Mohammed / - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - -- Dawn - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
Frank, I know PostParametersLimit is a different issue than the security fix, if thats what you were trying to imply. I meant that since the security fix is CUMULATIVE fix, we saw it for the first time after applying security fix(because we had not patched up our servers with earlier hotfixes/patches). So PostParametersLimit = No. of form fields, where as postSizeLimit = sizein MB of how big the post Size (form) can get. Thanks, Ajas Mohammed / iUseDropbox(http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Mon, Jan 21, 2013 at 4:57 PM, Mike Staver sta...@fimble.com wrote: Yeah, I hated that parameter and a lack of GUI to change it. When you have many servers to patch, it's annoying to have to edit this value in an XML file over and over again. I understand it's value, and I think it's a good thing - but they could have taken a few extra hours of dev time to mimic the behavior of 10 instead of just going half way. On 1/21/2013 1:51 PM, Dawn Hoagland wrote: It was introduced in APSB12-06 released March of 2012. They introduced the setting, defaulted it to 100, but didn't update the Administrator to allow editing from the GUI so it must be added directly in the XML. http://www.adobe.com/support/security/bulletins/apsb12-06.html On Mon, Jan 21, 2013 at 3:42 PM, Ajas Mohammed ajash...@gmail.comwrote: Thanks Charlie for the detailed email. Yes, we are on 9.0 and we didnt upgrade to 9.0.1. We used hotfix jar for 9.0 as advised on the adobe page. It makes sense to protect those CFIDE folders you mentioned. One thing we did notice is that after the applying security hotfix, we started to get this error *coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server*. Quick google search led http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Formsme to this posthttp://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms. I ended up adding var name='postParametersLimit'number500.0/number/var to the {ColdFusion-Home}/lib/neo-runtime.xml for Server installation. I am guessing that we might have missed an earlier patch/hotfix in which Adobe introduced this postParametersLimit setting. We were surprised by error message in the beginning but since we had recently applied the security fix, we knew it had to do with fix. Thanks, Ajas Mohammed / http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Fri, Jan 18, 2013 at 7:07 PM, Charlie Arehart char...@carehart.orgwrote: :-) Thanks. I will note that they did just yesterday kindly add me to the acknowledgements section of the security advisory, a first for me. :-) Various issues caused the delay. Nothing nefarious. I got a call from someone on PSIRT explaining the situation. I was just happy to get the mention. The good news is that I’ve gotten “payment” by a burst of new business from people needing help with this. Of course, I posted the first two entries making no mention of my services. That really wasn’t my motivation. But come, the work has. And some of those have then realized I could help with other things, which has led to still more work, so it’s been all the more beneficial. Of course, it’s a bit like being a roofer after a tornado blows through. You don’t want to say you’re “glad for the work”, as you feel for people who were affected. I have a part 4/post mortem in the works, but sadly too busy to get time to write it up. Perhaps over the weekend. /charlie *From:* ad...@acfug.org [mailto:ad...@acfug.org] *On Behalf Of *Steve Ross *Sent:* Friday, January 18, 2013 10:17 AM *To:* ACFUG ColdFusion Discussion *Subject:* Re: [ACFUG Discuss] New CF Vulnerability - Check your servers Adobe should be paying you Charlie... On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed ajash...@gmail.com wrote: Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all your help. Ajas Mohammed / - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
Adobe should be paying you Charlie... On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed ajash...@gmail.com wrote: Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all your help. Ajas Mohammed / iUseDropbox(http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Wed, Jan 16, 2013 at 12:56 AM, Charlie Arehart char...@carehart.orgwrote: Ok, call off the alarm (those of you on 9.0.2). It turns out that the confusion about the new hotfix (regarding 9.0.2) was just a mistake in the technote. All is as it should be, and everyone ought to apply this hotfix ASAP. :-) BTW, since writing my comment earlier, I have come out with a part 3 entry, on the hotfix and more. http://www.carehart.org/blog/client/index.cfm/2013/1/15/Part3_serious_security_threat Still planning a part 4, with post mortem and more. A bit busy now to commit to when. :-) /charlie ** ** *From:* ad...@acfug.org [mailto:ad...@acfug.org] *On Behalf Of *Charlie Arehart *Sent:* Tuesday, January 15, 2013 3:44 PM *To:* discussion@acfug.org *Subject:* RE: [ACFUG Discuss] New CF Vulnerability - Check your servers* *** ** ** Thanks for sharing it here, Cam. Do beware, though: for those on 9.0.2, there’s a glitch in the hotfix (a missing web-inf.zip within the cf902.zip). I’ve added a comment on the blog entry that points to that ( http://blogs.coldfusion.com/post.cfm/coldfusion-security-update-for-version-9-and-above), but obviously those who go straight to the technote wouldn’t see that. Hopefully Adobe will fix this ASAP. To be clear, this warning is only for those on 9.0.2. Those on 9.0, 9.0.1, or 10 should absolutely proceed with the hotfix as provided. ** ** /charlie - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - -- Steve Ross web application interface developer http://blog.stevensross.com [mobile] (912) 344-8113 [ AIM / Yahoo! : zeriumsteven ] [googleTalk : nowhiding ]
RE: [ACFUG Discuss] New CF Vulnerability - Check your servers
Ajas, I'm afraid the answer is not as obvious as one may hope. And you all know is often the case, I also don't think it can be answered in a tweet-sized reply. For those interested, read on. :-) First, let me note that the jar filename below you refer to below is for 9.0 (not 9.0.1 or 9.0.2). Are you really still running only on 9.0? Of course, I know that many are, because they just never got around to adding the free 9.0.1 updater a couple years ago. But for anyone who has, or who installed the new 9.0.2 after May, they would want to be careful to get the correct hotfix file. Second, besides the hotfix jar, this hotfix (like nearly all the security hotfixes and cumulative hotfixes) also entails updating the CFIDE directory. So first, again, you'd have a potential problem if you used the CFIDE for the 9.0 hotfix to update your 9.0.1 or 9.0.2 deployment (if that's what you have), as they may not be identical. (To any who would complain, see, this is the madness with the CF hotfix process, I'd say yes, that was so at least until 10, when they added the new automated hotfix mechanism that takes care of all this for you.) Third, even if one may feel they applied the right things in the right places, there's sadly no means provided by Adobe to verify if you're protected. And if you think about it, it's an unfortunate tension. While providing that would help those who did apply the fix, the converse is that the info could now be used by bad guys both to identify what servers WERE still vulnerable and worse (for those who didn't already know what the previous hack's vulnerability was) they would now have the information needed to perpetrate the exploit. So I'd assert that the first and best thing one can do to avoid the exploit is to protect unfettered public access to the folders /CFIDE/adminapi, /CFIDE/administrator, and /CFIDE/componentutils. You can lock down all access to them in all sites, for instance, and then open it up only in the one site where you think it should be used, whether locking it by ip address or using additional web server authentication. I explain this in my part 2 blog entry and in which I offer links for how to do that in different web servers. Beyond that, while I said that Adobe offers no way to confirm the fix is applied, I'll note that Pete Freitag's nifty free CF security checking service, HackMyCF.com, does now check for that vulnerability (by trying to call into your server), though note that it only checks the domains you tell it to check. If you have more than one web site on the server (as defined in IIS or Apache), you want to test it also. And even if you have a default site where the Admin is located, which you think is only accessible locally, note that if it's set (in the web server) to handle all ip addresses or all unassigned, then that site can potentially in fact be accessed from the outside if someone knows (or discovers) a working public IP address on the server, so that's why I recommend adding the additional web server security I mention above, even for a site you think is not open to access from the outside because you access it using localhost or 127.0.0.1. Anyway, back to Pete's tool, I'll note that if you get the commercial version, that one has you put a CFC on your server, which he can then call remotely which can explore things more closely, including confirming which specific hotfixes you do or don't have in place, etc. Hope that's helpful. /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Ajas Mohammed Sent: Thursday, January 17, 2013 11:52 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] New CF Vulnerability - Check your servers By the way, what is the best way to confirm that the security patch has been applied successfully? Personally, I could only tell based of 1) The CF Admin information page says Update Level /C:/ColdFusion9/lib/updates/hf900-9.jar 2) On my local CF install Windows 7, the timestamps on folders changed as I followed the steps. I noticed though on our QA servers( Windows 2003) the folder timestamps were weird as in they didn't show modification datetime as the changes were being applied which raised my curiosity. So other than these 2 things, is there another way to verify that the patching process was successful? Ajas Mohammed / iUseDropbox( http://db.tt/63Lvone9 http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed ajash...@gmail.com wrote: Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all
RE: [ACFUG Discuss] New CF Vulnerability - Check your servers
:-) Thanks. I will note that they did just yesterday kindly add me to the acknowledgements section of the security advisory, a first for me. :-) Various issues caused the delay. Nothing nefarious. I got a call from someone on PSIRT explaining the situation. I was just happy to get the mention. The good news is that I've gotten payment by a burst of new business from people needing help with this. Of course, I posted the first two entries making no mention of my services. That really wasn't my motivation. But come, the work has. And some of those have then realized I could help with other things, which has led to still more work, so it's been all the more beneficial. Of course, it's a bit like being a roofer after a tornado blows through. You don't want to say you're glad for the work, as you feel for people who were affected. I have a part 4/post mortem in the works, but sadly too busy to get time to write it up. Perhaps over the weekend. /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Steve Ross Sent: Friday, January 18, 2013 10:17 AM To: ACFUG ColdFusion Discussion Subject: Re: [ACFUG Discuss] New CF Vulnerability - Check your servers Adobe should be paying you Charlie... On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed ajash...@gmail.com wrote: Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all your help. Ajas Mohammed / - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
By the way, what is the best way to confirm that the security patch has been applied successfully? Personally, I could only tell based of 1) The CF Admin information page says Update Level /C:/ColdFusion9/lib/updates/hf900-9.jar 2) On my local CF install Windows 7, the timestamps on folders changed as I followed the steps. I noticed though on our QA servers( Windows 2003) the folder timestamps were weird as in they didn't show modification datetime as the changes were being applied which raised my curiosity. So other than these 2 things, is there another way to verify that the patching process was successful? Ajas Mohammed / iUseDropbox(http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed ajash...@gmail.com wrote: Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all your help. Ajas Mohammed / iUseDropbox(http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Wed, Jan 16, 2013 at 12:56 AM, Charlie Arehart char...@carehart.orgwrote: Ok, call off the alarm (those of you on 9.0.2). It turns out that the confusion about the new hotfix (regarding 9.0.2) was just a mistake in the technote. All is as it should be, and everyone ought to apply this hotfix ASAP. :-) BTW, since writing my comment earlier, I have come out with a part 3 entry, on the hotfix and more. http://www.carehart.org/blog/client/index.cfm/2013/1/15/Part3_serious_security_threat Still planning a part 4, with post mortem and more. A bit busy now to commit to when. :-) /charlie ** ** *From:* ad...@acfug.org [mailto:ad...@acfug.org] *On Behalf Of *Charlie Arehart *Sent:* Tuesday, January 15, 2013 3:44 PM *To:* discussion@acfug.org *Subject:* RE: [ACFUG Discuss] New CF Vulnerability - Check your servers* *** ** ** Thanks for sharing it here, Cam. Do beware, though: for those on 9.0.2, there’s a glitch in the hotfix (a missing web-inf.zip within the cf902.zip). I’ve added a comment on the blog entry that points to that ( http://blogs.coldfusion.com/post.cfm/coldfusion-security-update-for-version-9-and-above), but obviously those who go straight to the technote wouldn’t see that. Hopefully Adobe will fix this ASAP. To be clear, this warning is only for those on 9.0.2. Those on 9.0, 9.0.1, or 10 should absolutely proceed with the hotfix as provided. ** ** /charlie - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com -
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all your help. Ajas Mohammed / iUseDropbox(http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Wed, Jan 16, 2013 at 12:56 AM, Charlie Arehart char...@carehart.orgwrote: Ok, call off the alarm (those of you on 9.0.2). It turns out that the confusion about the new hotfix (regarding 9.0.2) was just a mistake in the technote. All is as it should be, and everyone ought to apply this hotfix ASAP. :-) BTW, since writing my comment earlier, I have come out with a part 3 entry, on the hotfix and more. http://www.carehart.org/blog/client/index.cfm/2013/1/15/Part3_serious_security_threat Still planning a part 4, with post mortem and more. A bit busy now to commit to when. :-) /charlie ** ** *From:* ad...@acfug.org [mailto:ad...@acfug.org] *On Behalf Of *Charlie Arehart *Sent:* Tuesday, January 15, 2013 3:44 PM *To:* discussion@acfug.org *Subject:* RE: [ACFUG Discuss] New CF Vulnerability - Check your servers** ** ** ** Thanks for sharing it here, Cam. Do beware, though: for those on 9.0.2, there’s a glitch in the hotfix (a missing web-inf.zip within the cf902.zip). I’ve added a comment on the blog entry that points to that ( http://blogs.coldfusion.com/post.cfm/coldfusion-security-update-for-version-9-and-above), but obviously those who go straight to the technote wouldn’t see that. Hopefully Adobe will fix this ASAP. To be clear, this warning is only for those on 9.0.2. Those on 9.0, 9.0.1, or 10 should absolutely proceed with the hotfix as provided. ** ** /charlie - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com -
RE: [ACFUG Discuss] New CF Vulnerability - Check your servers
Thanks for sharing it here, Cam. Do beware, though: for those on 9.0.2, there's a glitch in the hotfix (a missing web-inf.zip within the cf902.zip). I've added a comment on the blog entry that points to that (http://blogs.coldfusion.com/post.cfm/coldfusion-security-update-for-version -9-and-above), but obviously those who go straight to the technote wouldn't see that. Hopefully Adobe will fix this ASAP. To be clear, this warning is only for those on 9.0.2. Those on 9.0, 9.0.1, or 10 should absolutely proceed with the hotfix as provided. /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Cameron Childress Sent: Tuesday, January 15, 2013 1:56 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] New CF Vulnerability - Check your servers FYI - a hotfix was released today for this vulnerability: http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.ht ml -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitter http://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
RE: [ACFUG Discuss] New CF Vulnerability - Check your servers
Ok, call off the alarm (those of you on 9.0.2). It turns out that the confusion about the new hotfix (regarding 9.0.2) was just a mistake in the technote. All is as it should be, and everyone ought to apply this hotfix ASAP. :-) BTW, since writing my comment earlier, I have come out with a part 3 entry, on the hotfix and more. http://www.carehart.org/blog/client/index.cfm/2013/1/15/Part3_serious_securi ty_threat Still planning a part 4, with post mortem and more. A bit busy now to commit to when. :-) /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Charlie Arehart Sent: Tuesday, January 15, 2013 3:44 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] New CF Vulnerability - Check your servers Thanks for sharing it here, Cam. Do beware, though: for those on 9.0.2, there's a glitch in the hotfix (a missing web-inf.zip within the cf902.zip). I've added a comment on the blog entry that points to that (http://blogs.coldfusion.com/post.cfm/coldfusion-security-update-for-version -9-and-above), but obviously those who go straight to the technote wouldn't see that. Hopefully Adobe will fix this ASAP. To be clear, this warning is only for those on 9.0.2. Those on 9.0, 9.0.1, or 10 should absolutely proceed with the hotfix as provided. /charlie - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
All, I received a new HackMyCF report on one of my sites earlier... It had a brand new CRITICAL error that I never saw before... ComponentUtils Exposed to the Public The /CFIDE/componentutils/ directory is open to the public it should be locked down to prevent exploit. I went and immediately locked it down like my existing administrator and and adminapi directories... Is this related to all the compromised servers in the past month? Ok, I did some searching and I found out that yes, this directory is listed by adobe in their latest security bulletin. (and I assume is related to the recent hacks...) However, I think that it is important to share with the group... On 01/03/2013 08:50 AM, Cameron Childress wrote: FYI - worth reading up on this. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitter http://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
RE: [ACFUG Discuss] New CF Vulnerability - Check your servers
Yep, that is the same, and while they work on a real fix, that bulletin warns of some key things to lock down in the meantime (as I did in my blog entries, though /CFIDE/componentutils was not one I'd seen used in any of the compromises I found. It was always CFIDE/adminapi, and I have asked Adobe about that, since they make no mention of it.) /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Frank Moorman Sent: Thursday, January 10, 2013 6:15 AM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] New CF Vulnerability - Check your servers All, I received a new HackMyCF report on one of my sites earlier... It had a brand new CRITICAL error that I never saw before... ComponentUtils Exposed to the Public The /CFIDE/componentutils/ directory is open to the public it should be locked down to prevent exploit. I went and immediately locked it down like my existing administrator and and adminapi directories... Is this related to all the compromised servers in the past month? Ok, I did some searching and I found out that yes, this directory is listed by adobe in their latest security bulletin. (and I assume is related to the recent hacks...) However, I think that it is important to share with the group... On 01/03/2013 08:50 AM, Cameron Childress wrote: FYI - worth reading up on this. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_thr eat http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_thre at http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_securit y_threat -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitter http://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] New CF Vulnerability - Check your servers
Thanks Cameron! Already did. ed __ Ed Szwedo Web Development Team Lead ECS Team - ITS-EPA II Contractor 109 TW Alexander Drive, Building NCC, Mail Drop N176-05, Research Triangle Park, NC 27711 Information Technology Infrastructure Solutions | Office: (919)541-3955 | Fax: (919)541-3641 | szwedo...@epa.gov | www.ecs-federal.com From: Cameron Childress camer...@gmail.com To: discussion@acfug.org Date: 01/03/2013 08:51 AM Subject:[ACFUG Discuss] New CF Vulnerability - Check your servers Sent by:ad...@acfug.org FYI - worth reading up on this. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook | twitter | google+ - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - inline: graycol.gif