Actually, HoF has been on CF 5 since the lists were moved to the new box. I
ran a few security checkers against it and it's cool. I'm installing CF 2 on
my laptop to test this out. I want to know the problem not to tell everyone
how to use it but to see its limitations. If Website will not have the
performance hit but IIS will, I want to know. The more time goes by the more
I'm finding out and thankfully MM keeps coming out with info to tell me if
I'm on the right path or not. :)
> > posts on this. I don't know. That's really the whole problem
> > on my side. I
> > want to know. I need to know.
>
> I guess if Damon's right and you wait a few days without patching then
> you'll find out soon enough!
>
> I understand your frustration though.
>
> Rock = Disclose details and let script kiddies maim and destroy
> Hard Place = Keep schtum and hope developers and sysadmins patch up and
> shaddap.
>
>
> -------------------------------------------------------
> Rich Wild
> Senior Web Developer
>
> -------------------------------------------------------
> e-mango.com ltd Tel: 01202 587 400
> Lansdowne Place Fax: 01202 587 401
> 17 Holdenhurst Road
> Bournemouth Mailto:[EMAIL PROTECTED]
> BH8 8EW, UK http://www.e-mango.com
> -------------------------------------------------------
> This message may contain information which is legally
> privileged and/or confidential. If you are not the
> intended recipient, you are hereby notified that any
> unauthorised disclosure, copying, distribution or use
> of this information is strictly prohibited. Such
> notification notwithstanding, any comments, opinions,
> information or conclusions expressed in this message
> are those of the originator, not of e-mango.com ltd,
> unless otherwise explicitly and independently indicated
> by an authorised representative of e-mango.com ltd.
> -------------------------------------------------------
>
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: 12 July 2001 15:36
> > To: CF-Talk
> > Subject: Re: UPDATE: Suggested Security Patch Workarounds
> >
> >
> > This is the whole reason I keep saying "theory" and
> > "potential" for all my
> > posts on this. I don't know. That's really the whole problem
> > on my side. I
> > want to know. I need to know. If this is a stub problem then
> > what are the
> > 'vectors' of it? Is it an implementation of the HTTP protocol
> > in the stub,
> > something in the way its passing info from the webserver to
> > CF? Is it the
> > same on all webservers and operating systems? Has it been
> > reported before on
> > other platforms or languages and are others in danger?
> >
> > > Unfortunately, Mike's proposed workaround below will not
> > work. There is
> > no
> > > known workaround to the issue. It affects all servers,
> > regardless of
> > > application, security contexts, HTTP method filtering, port, etc.
> > >
> > > Unless you completely trust every end user who is able to
> > connect to your
> > > your ColdFusion server machine, the patch must be applied
> > to production
> > > servers to be secure from these vulnerabilities.
> > >
> > > Please refer to the updated Security Bulletin on the Security Zone
> > > (http://www.allaire.com/security) and associated FAQ for
> > answers to these
> > > and other commonly asked questions.
> > >
> > > We can't overemphasize the importance of applying the patch
> > immediately to
> > > all affected servers.
> > >
> > > While we are not aware of any known exploit attempts using these
> > > vulnerabilities, we believe it's just of time before
> > hackers turn their
> > > attention to this Bulletin and begin reverse engineering efforts to
> > > determine the exploit details. We want to give our
> > customers the largest
> > > window of opportunity to apply the patch before that
> > happens. It may just
> > > be a matter of days before hackers successfully begin
> > probing sites for
> > > servers vulnerable to exploit attempts.
> > >
> > > Fortunately, because the vulnerabilities were discovered
> > internally in the
> > > course of a routine product security audit, rather than external
> > > notification, customers have the advantage at the moment of
> > being notified
> > > of the problem, have a patch available and can apply the fix before
> > hackers
> > > are able to begin probing expeditions. But as we know, the clock is
> > surely
> > > ticking, so (again), it's critical that administrators
> > apply the patch
> > > without delay to protect their servers.
> > >
> > > Please forward any direct inquiries regarding this or other product
> > > security-related issues to [EMAIL PROTECTED]
> > >
> > > Thanks
> > >
> > > Damon Cooper
> > >
> > > ==========
> > > Date: Wed, 11 Jul 2001 17:02:07 -0400
> > > From: [EMAIL PROTECTED] (Michael Dinowitz)
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Important ColdFusion Security Patch Released Today
> > > Message-ID: <00df01c10a4c$c56c83e0$[EMAIL PROTECTED]>
> > >
> > > There is a potential workaround if what I'm seeing is true.
> > Have your
> > > webserver block any HTTP method other than get and post. If
> > your webserver
> > > can do that, you should be safe. I'll say more later.
> > >
> > > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> > > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
> > >
> >
> >
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
