If you are using sandbox security, which under the hood probably uses
JAAS, this shouldn't be possible. Besides... who allows someone to
write to the lib dir anyway?
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"I have always strenuously supported the right of every man to his
own opinion, however different that opinion might be to mine. He who
denies another this right makes a slave of himself to his present
opinion, because he precludes himself the right of changing it."
-- Thomas Paine, 1783
On Aug 1, 2007, at 4:34 PM, John Mason wrote:
You're right and it's been post a few years ago so it's not news
really.
This is one of the reasons I wish CF was more open source to begin
with, but
here you guys go. If you have cfobject (java) enabled, this script
simply
writes and compiles a java class in the lib directory. This then
opens up
the ability to do other things. This dates back to when CF made the
jump
into java. I believe this is more an issue with Jrun4 really than CF.
http://securitytracker.com/alerts/2004/Oct/1011475.html
John
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Wednesday, August 01, 2007 3:32 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] CF Service Account
Well the point is really you can't secure what you don't know about.
CF can be a very secure platform if you know how to secure it and
write
secure code on top of it. Hiding details on security
vulnerabilities does
nothing to help the situation, the blackhats know the details and
the rest
of us are left to defend ourselves.
Honestly, I'm too lazy (er, busy!) right now to go look up the
specifics on
this vulnerability that is mentioned here...
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that they
are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Aug 1, 2007, at 3:28 PM, Kevin wrote:
"Security by obscurity is not a good mechanism... let everyone see."
Yes really...
Thats what MS does... Hide everything so you cant see the holes?
This community may find out your NOT as secure as you thought?
On 8/1/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
Security by obscurity is not a good mechanism... let everyone see.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Aug 1, 2007, at 3:24 PM, John Mason wrote:
Dean, I'll need to email you off list after the meeting. I naturally
don't like sharing that stuff in the open for everyone to see.
For everyone out there - needless to say, don't just depend on
the CF
level of security. Security should always include multiple layers.
Otherwise it
won't hold up very well.
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting Now offering
ColdFusion 8 Enterprise hosting FREE Subversion hosting
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Wednesday, August 01, 2007 3:17 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] CF Service Account
Sandbox security is fine when it is backed up by OS-level security.
What hack do you refer to? That's a new one on me.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"[U]nconstitutional behavior by the authorities is constrained only
by the peoples' willingness to contest them"
--John Perry Barlow
On Aug 1, 2007, at 3:12 PM, John Mason wrote:
There's some, but there's a known remote java class hack to get
around it.
I'm testing CF8 for this issue. Bluedragon doesn't have this
issue by
the way. For a lot of things sandboxing is certainly good if people
would just use it ;) But if you have COM objects on and CF is
running
under the local service account. Which a lot of people do for some
reason. You can pretty much do anything you want to a server. Taking
CF off local service account achieves a lot of known security issues
out right and it's easy to implement. That's why I jump on that
whenever possible.
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting Now offering
ColdFusion 8 Enterprise hosting FREE Subversion hosting
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie
Arehart
Sent: Wednesday, August 01, 2007 2:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] CF Service Account
No value in the resource/sandbox security? :-) /charlie
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob
Saxon
Sent: Wednesday, August 01, 2007 2:05 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] CF Service Account
Thank you John and Dean for your feedback. The CF script needs to
write the contents of a web form to a folder on another server so
that an application on that server can read in the form results.
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
--
<K />
"A government big enough to give you everything you want, is strong
enough to take everything you have."
-Thomas Jefferson
"If your a horse, and someone gets on you, and falls off, and then
gets right back on you; I think you should buck him off right away."
-Todays deep thoughts
"The winner in any meeting is the one with the highest caffeine
resistance and bladder capacity" -Roger Wright
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------