Re: ColdFusion is vulnerable?
I disagree. Especially with Microsoft Products. With that company I have resigned to taking a wait and see approach. If What I have now works, and works well, then I am not going to upgrade to the 'next best thing'. When the first patch or "Service Pack" comes out, I go see what was fixed, and what the bugs were. The thing is that when MS released IE5.5 , just to use an example, the updates for IE5.0 fixed the holes anyway. So my suggestion when dealing with Microsoft as an Enduser is to install the updates regularly. Especially if you have a broadband connection..there's no excuse. Use the Windows Update facility. As for upgrading to the latest thing? I say don't upgrade a Microsoft product unless you have a compelling reason to (some hot feature you really need). And for their new releases, I would suggest waiting for the first Service Pack (which in the case of win2k was out almost as soon as the OS was being sold in stores wasn't it? ;-) ) Ciao! -Gel,who is still running Windows 98 SE and IE5.01 at home. - Original Message - From: Scott, Andrew [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, November 01, 2000 10:32 PM Subject: RE: ColdFusion is vulnerable? Mike, It didn't say that Coldfusion was ranked number 2 in security flaws, it used cgi as an example of which Coldfusion is based on as is ASP,Perl,Awk,C++ to name a few. However in reading the article I did notice a concern that struck me hard. The world has come to accept that we have application out there that have major problems, we accept the fact that a new release will always bring about new problems, however companies like MS have not made it clear enough that problems/patches/service packs are needed to secure holes in the likes of IIS/Internet Explorer etc. I like the fact that as soon as something security wise is known with CF, its posted on the allaire security page. But how many users of Internet Explorer actually know that v4 has numerous security holes, and there are probably x amount unknown hidden away in IE5.5 and continue to use it. With every new release these security holes might have been fixed, plus many new enhancements. But if for arguments sake IE6 was released, people would not upgrade straight away and wait for known issues. I can accept their concerns, but these known issues might have already have been in previous versions. Anyway its not always clear that if a problem exists the average user is not aware of it. I know people who download the latest stuff all the time, and use it and complain that this doesn't work etc. Well if you use a beta copy then you deserve the hardache I guess, but if its not a beta there is no real release to the public of such issues, enhancements or patches to such applications. We as a development community know the ins/outs of most of these and know how to keep in touch with the latest patches etc., but average users do not. Sorry for being off topic a little, but it needed to be pointed out I thought! Awarness, it makes it so hard when dealing with clients:-) regards Andrew Scott Senior Cold Fusion Application Developer -Original Message- From: Mike Connolly [mailto:[EMAIL PROTECTED]] Sent: 01 November 2000 22:17 To: CF-Talk Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: ColdFusion is vulnerable? Have a look at this article listing ColdFusion as number 2 in top 10 internet security threats... http://www.sans.org/topten.htm Comments on a postcard please? --- Any opinions expressed in this message are those of the individual and not necessarily the company. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Sapphire Technologies Ltd http://www.sapphire.net -- -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] -- -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
Re: ColdFusion is vulnerable?
Actually no, SP1 for Win2k was not out for at least 3 -4 months after Win2k came out and it was delayed. Not to mention Win2k SP1 has caused problems with Cold Fusion 4.51 server on some of our web servers, causing runaway processor utilization. jon need). And for their new releases, I would suggest waiting for the first Service Pack (which in the case of win2k was out almost as soon as the OS was being sold in stores wasn't it? ;-) ) Ciao! -Gel,who is still running Windows 98 SE and IE5.01 at home. - Original Message - From: Scott, Andrew [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, November 01, 2000 10:32 PM Subject: RE: ColdFusion is vulnerable? Mike, It didn't say that Coldfusion was ranked number 2 in security flaws, it used cgi as an example of which Coldfusion is based on as is ASP,Perl,Awk,C++ to name a few. However in reading the article I did notice a concern that struck me hard. The world has come to accept that we have application out there that have major problems, we accept the fact that a new release will always bring about new problems, however companies like MS have not made it clear enough that problems/patches/service packs are needed to secure holes in the likes of IIS/Internet Explorer etc. I like the fact that as soon as something security wise is known with CF, its posted on the allaire security page. But how many users of Internet Explorer actually know that v4 has numerous security holes, and there are probably x amount unknown hidden away in IE5.5 and continue to use it. With every new release these security holes might have been fixed, plus many new enhancements. But if for arguments sake IE6 was released, people would not upgrade straight away and wait for known issues. I can accept their concerns, but these known issues might have already have been in previous versions. Anyway its not always clear that if a problem exists the average user is not aware of it. I know people who download the latest stuff all the time, and use it and complain that this doesn't work etc. Well if you use a beta copy then you deserve the hardache I guess, but if its not a beta there is no real release to the public of such issues, enhancements or patches to such applications. We as a development community know the ins/outs of most of these and know how to keep in touch with the latest patches etc., but average users do not. Sorry for being off topic a little, but it needed to be pointed out I thought! Awarness, it makes it so hard when dealing with clients:-) regards Andrew Scott Senior Cold Fusion Application Developer -Original Message- From: Mike Connolly [mailto:[EMAIL PROTECTED]] Sent: 01 November 2000 22:17 To: CF-Talk Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: ColdFusion is vulnerable? Have a look at this article listing ColdFusion as number 2 in top 10 internet security threats... http://www.sans.org/topten.htm Comments on a postcard please? --- Any opinions expressed in this message are those of the individual and not necessarily the company. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Sapphire Technologies Ltd http://www.sapphire.net -- . Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
ColdFusion is vulnerable?
Have a look at this article listing ColdFusion as number 2 in top 10 internet security threats... http://www.sans.org/topten.htm Comments on a postcard please? --- Any opinions expressed in this message are those of the individual and not necessarily the company. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Sapphire Technologies Ltd http://www.sapphire.net Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
RE: ColdFusion is vulnerable?
Have a look at this article listing ColdFusion as number 2 in top 10 internet security threats... http://www.sans.org/topten.htm Comments on a postcard please? Mike, That is a really OLD article and it doesn't actually say _coldfusion_ is number 2 top internet security risk. It actually says any _CGI_ is a number 2 security risk (that includes perl, TCL, PGP, JSP anything you can name) and mostly from sample apps being left on the server and security patches not being installed. Sapphire is a part of a security firm - you already have all of the patches (and more) installed on your servers, so you should be as ok as any server can be Just make sure that having installed all the security patches, you've removed the sample apps and made any other recommended adjustments to the server. See http://www.allaire.com/security Regards Stephen Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
Re: ColdFusion is vulnerable?
On Wed, 01 Nov 2000, you wrote: Have a look at this article listing ColdFusion as number 2 in top 10 internet security threats... http://www.sans.org/topten.htm This is talking about vunerable sample programs which should be stripped from the server. All systems have sample apps - Is Northwind still the MS faveourite? -- Gavin Lilley Internet / Intranet Developer - Halesowen College http://halesowen.ac.uk - 0121 602 4477 Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
RE: ColdFusion is vulnerable?
Whoops - I didn't mean PGP - I actually mean - PHP - slip of the finger there! Sorry! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Stephen Moretti Sent: Wednesday, 01 November 2000 11:25 To: [EMAIL PROTECTED]; Cf-Talk@Houseoffusion. Com Cc: Mike Connolly Subject: RE: ColdFusion is vulnerable? Have a look at this article listing ColdFusion as number 2 in top 10 internet security threats... http://www.sans.org/topten.htm Comments on a postcard please? Mike, That is a really OLD article and it doesn't actually say _coldfusion_ is number 2 top internet security risk. It actually says any _CGI_ is a number 2 security risk (that includes perl, TCL, PGP, JSP anything you can name) and mostly from sample apps being left on the server and security patches not being installed. Sapphire is a part of a security firm - you already have all of the patches (and more) installed on your servers, so you should be as ok as any server can be Just make sure that having installed all the security patches, you've removed the sample apps and made any other recommended adjustments to the server. See http://www.allaire.com/security Regards Stephen Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
Re: ColdFusion is vulnerable?
Have a look at this article listing ColdFusion as number 2 in top 10 internet security threats... http://www.sans.org/topten.htm Comments on a postcard please? I invoke your own tag, it works very well, thanks. CF_IGNORE User="Mike Connolly" CFX_TALKINGARSE User="Mike Connolly" CFABORT Len http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5 8.2.3 T6B for NT4 W2K http://IMGate.MEIway.com: Build free, hi-perf, anti-spam mail gateways Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
RE: ColdFusion is vulnerable?
Someone wrote: number 2 in top 10 internet security threats... This would only be true if ASP is number one. On the SANS Website it said: Allaire's ColdFusion is a web server application package which includes vulnerable sample programs when installed. As a general rule, sample programs should always be removed from production systems. Duh, any operating system or server install that has sample apps that can be a problem. CF is not unique here. Yet CF has had far fewer problems than IIS and ASP. Seriously, though unfair to single out CF, he is right, CGI in general is very vulnerable. But to lump CF in this case is unfair and probably indicates that the author has an axe to grind or ox to gore outside of the scope of this article. - Steve -Original Message- From: Len Conrad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 01, 2000 6:56 AM To: CF-Talk Subject: Re: ColdFusion is vulnerable? Have a look at this article listing ColdFusion as number 2 in top 10 internet security threats... http://www.sans.org/topten.htm Comments on a postcard please? Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
RE: ColdFusion is vulnerable?
Mike, It didn't say that Coldfusion was ranked number 2 in security flaws, it used cgi as an example of which Coldfusion is based on as is ASP,Perl,Awk,C++ to name a few. However in reading the article I did notice a concern that struck me hard. The world has come to accept that we have application out there that have major problems, we accept the fact that a new release will always bring about new problems, however companies like MS have not made it clear enough that problems/patches/service packs are needed to secure holes in the likes of IIS/Internet Explorer etc. I like the fact that as soon as something security wise is known with CF, its posted on the allaire security page. But how many users of Internet Explorer actually know that v4 has numerous security holes, and there are probably x amount unknown hidden away in IE5.5 and continue to use it. With every new release these security holes might have been fixed, plus many new enhancements. But if for arguments sake IE6 was released, people would not upgrade straight away and wait for known issues. I can accept their concerns, but these known issues might have already have been in previous versions. Anyway its not always clear that if a problem exists the average user is not aware of it. I know people who download the latest stuff all the time, and use it and complain that this doesn't work etc. Well if you use a beta copy then you deserve the hardache I guess, but if its not a beta there is no real release to the public of such issues, enhancements or patches to such applications. We as a development community know the ins/outs of most of these and know how to keep in touch with the latest patches etc., but average users do not. Sorry for being off topic a little, but it needed to be pointed out I thought! Awarness, it makes it so hard when dealing with clients:-) regards Andrew Scott Senior Cold Fusion Application Developer -Original Message- From: Mike Connolly [mailto:[EMAIL PROTECTED]] Sent: 01 November 2000 22:17 To: CF-Talk Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: ColdFusion is vulnerable? Have a look at this article listing ColdFusion as number 2 in top 10 internet security threats... http://www.sans.org/topten.htm Comments on a postcard please? --- Any opinions expressed in this message are those of the individual and not necessarily the company. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Sapphire Technologies Ltd http://www.sapphire.net Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED] Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
