Lately I've only been allowing the ".dean" extension. Seems to be
*somewhat* safe. A couple of years ago the .dean's might have been
occasionally dangerous;)
----- Original Message ----
From: Dean H. Saxe <[EMAIL PROTECTED]>
To: discussion@acfug.org
Sent: Thursday, July 10, 2008 2:58:25 PM
Subject: Re: [ACFUG Discuss] Minimum required permissions
But that is incomplete, since you can only look at mime types and
extensions, both of which can be forged. Unless you are doing object
validation, of course, but that is doubtful. See JHOVE for a
potential object validation framework.
In any case, it is always a bad idea to allow writing to the web tree
at all. If the files later need to be served, you can do so with
cffile.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"I have always strenuously supported the right of every man to his own
opinion, however different that opinion might be to mine. He who
denies another this right makes a slave of himself to his present
opinion, because he precludes himself the right of changing it."
-- Thomas Paine, 1783
On Jul 10, 2008, at 2:50 PM, shawn gorrell wrote:
> Oh, yeah that. I normally do that by only allowing specific
> filetypes that the app needs. No writing of CFML(or other
> potentially dangerous) files.
>
> ----- Original Message ----
> From: Dean H. Saxe <[EMAIL PROTECTED]>
> To: discussion@acfug.org
> Sent: Thursday, July 10, 2008 2:21:40 PM
> Subject: Re: [ACFUG Discuss] Minimum required permissions
>
> If you write a file, do so outside of the application directory
> structure. ;-) Using a protected directory structure for the
> application itself prevents malicious writing/overwriting of files.
>
> -dhs
>
>
> Dean H. Saxe, CISSP, CEH
> [EMAIL PROTECTED]
> "What difference does it make to the dead, the orphans, and the
> homeless, whether the mad destruction is wrought under the name of
> totalitarianism or the holy name of liberty and democracy? "
> --Gandhi
>
>
>
> On Jul 10, 2008, at 2:12 PM, shawn gorrell wrote:
>
> > Ummm, if the application needed to write a file. ;)
> >
> > If you didn't need to write files ever in that app, then read only
> > would be fine.
> >
> > ----- Original Message ----
> > From: Dean H. Saxe <[EMAIL PROTECTED]>
> > To: discussion@acfug.org
> > Sent: Thursday, July 10, 2008 2:06:12 PM
> > Subject: Re: [ACFUG Discuss] Minimum required permissions
> >
> > Why would CF need to modify (or have write privileges at all) on
the
> > directories containing CFML sites/code? Shouldn't read-only
> > privileges there be sufficient?
> >
> > -dhs
> >
> >
> > Dean H. Saxe, CISSP, CEH
> > [EMAIL PROTECTED]
> > "[T]he people can always be brought to the bidding of the leaders.
> > This is easy. All you have to do is to tell them they are being
> > attacked, and denounce the pacifists for lack of patriotism and
> > exposing the country to danger. It works the same in every
country."
> > --Hermann Goering, Hitler's Reich-Marshall at the Nuremberg
> Trials
> >
> >
> >
> > On Jul 10, 2008, at 1:58 PM, John Mason wrote:
> >
> > > Here's the basic run down.
> > >
> > > Create a new account called 'coldfusion'
> > > Go into Local Security Policy -> Local Policies -> User Rights
> > > Assignment
> > > Add the 'coldfusion' account to..
> > > - Deny log on locally
> > > - Deny log on through Terminal Services
> > > - Log on as a service
> > >
> > > Next go to regedt32
> > > GIve the 'coldfusion' account permissions to modify to
> > > following (if you have ODBC datasources only)
> > > HKLM/SOFTWARE/Microsoft/ODBC
> > >
> > > Now go into File Explorer
> > > Give Modify permissions to the following directories
> > > .../CFIDE
> > > .../ColdFusion8 or .../JRUN4 (also if you are using a
> > > different JVM, the account there's permissions there as well)
> > > Then any directories that contain the cfml sites and code
> > >
> > > Next go into Services
> > > Change into the CF service properties and click the 'Log
> On'
> > > tab
> > > Switch the user from 'Local System' to the 'coldfusion'
> > > account and enter the password
> > > Click apply and then restart services - it shoudl
properly
> > > restart under the new account
> > >
> > >
> > > John Mason
> > > [EMAIL PROTECTED]
> > > 770.337.8363
> > >
> > > www.FusionLink.com - ColdFusion and Flex hosting
> > > Now offering VPS Plans running with VMware technology
> > > Now offering ColdFusion 8 Enterprise hosting
> > > FREE Subversion hosting
> > >
> > > This e-mail message and all attachments transmitted with it may
> > > contain legally privileged and/or confidential information
> intended
> > > solely for the use of the addressee(s). If the reader of this
> > > message is not the intended recipient, you are hereby notified
> that
> > > any reading, dissemination, distribution, copying, forwarding or
> > > other use of this message or its attachments is strictly
> prohibited.
> > > If you have received this message in error, please notify the
> sender
> > > immediately and delete this message and all copies and backups
> > > thereof.
> > >
> > >
> > >
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
shawn
> > > gorrell
> > > Sent: Thursday, July 10, 2008 9:12 AM
> > > To: discussion@acfug.org
> > > Subject: [ACFUG Discuss] Minimum required permissions
> > >
> > > Hoping that maybe Dave Watts is paying attention to the list
> > today...
> > >
> > > I've been looking for a list of directories and permissions
> > > necessary for using a domain account to run CF on Windows (as
> > > opposed to Local System), and having little luck. There is an
> > > article about CF on IIS on the Adobe site, but it is for CF7 and
> is
> > > incomplete. Dave did a presentation on a similar topic an
referred
> > > to an article on defusion that looked like it should have the
> info,
> > > but defusion is dead. Haven't been able to dig up anything else
> > > useful on Google.
> > >
> > > Does anyone have a list like that? I can kind of guess and
test my
> > > way through it, but a list would save a ton of time.
> > >
> > > Thanks
> > >
> > >
> > > -------------------------------------------------------------
> > > To unsubscribe from this list, manage your profile @
> > > http://www.acfug.org?fa=login.edituserform
> > >
> > > For more info, see http://www.acfug.org/mailinglists
> > > Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> > > List hosted by FusionLink
> > > -------------------------------------------------------------
> > >
> > > -------------------------------------------------------------
> > > To unsubscribe from this list, manage your profile @
> > > http://www.acfug.org?fa=login.edituserform
> > >
> > > For more info, see http://www.acfug.org/mailinglists
> > > Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> > > List hosted by FusionLink
> > > -------------------------------------------------------------
> >
> >
> >
> > -------------------------------------------------------------
> > To unsubscribe from this list, manage your profile @
> > http://www.acfug.org?fa=login.edituserform
> >
> > For more info, see http://www.acfug.org/mailinglists
> > Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> > List hosted by http://www.fusionlink.com
> > -------------------------------------------------------------
> >
> >
> >
> >
> > -------------------------------------------------------------
> > To unsubscribe from this list, manage your profile @
> > http://www.acfug.org?fa=login.edituserform
> >
> > For more info, see http://www.acfug.org/mailinglists
> > Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> > List hosted by FusionLink
> > -------------------------------------------------------------
>
>
>
> -------------------------------------------------------------
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -------------------------------------------------------------
>
>
>
>
> -------------------------------------------------------------
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by FusionLink
> -------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
