RE: CF on shared hosting
Yep, yours is probably still the only server they've done. They have been "doing the rest this week" for the last two weeks now. -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Wednesday, 15 June 2005 1:32 To: CF-Talk Subject: RE: CF on shared hosting i just checked mine and its ok still, you should call them James. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209506 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
i just checked mine and its ok still, you should call them James. ~Dave the disruptor~ "A criminal is a person with predatory instincts who has not sufficient capital to form a corporation." From: "James Holmes" <[EMAIL PROTECTED]> Sent: Tuesday, June 14, 2005 8:54 AM To: CF-Talk Subject: RE: CF on shared hosting I can't elaborate on any fiddling with the java security policy - I'm just guessing that something might be possible (although I have doubts). As for the JSP security problem, here's the links I've been sending to people: http://www.macromedia.com/devnet/security/security_zone/mpsb02-04.html http://www.robrohan.com/blog/index.cfm?mode=entry&entry=EDCB81D8-C8F0-B5 37-1824A53C962059D3 Note that I can still achieve the results of the second link on my current Smarterlinux account (as of 30 seconds ago, because I just checked). -Original Message- From: Robertson-Ravo, Neil (RX) [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 June 2005 7:04 To: CF-Talk Subject: RE: CF on shared hosting Can you elaborate? ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209443 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
Security through obscurity doesn't really resolve anything. While a step by step isn't necessary, a more enlightening description would be useful. The next question would be how much of this impacts hosts that offer .jsp regardless of app server in shared hosting environments, or do any? (I've never looked for that kind of hosting, heck I haven't looked for shared hosting in 6 years for that matter). - Calvin -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 9:13 AM To: CF-Talk Subject: RE: CF on shared hosting No, you aren't missing anything - it's just a demo of how failing to disable JSP can lead to a hacked website, because that's how I added the blog (hacking). I didn't really want to give a script kiddie step-by-step (there's enough out there already without giving them even more info) but I can send more details privately if you want. -Original Message- From: Damien McKenna [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 June 2005 9:05 To: CF-Talk Subject: RE: CF on shared hosting > http://www.robrohan.com/blog/index.cfm?mode=entry&entry=EDCB81 > D8-C8F0-B537-1824A53C962059D3 I don't see anything at this page beyond: Guest Blogger - Shared Host Security When sharing CF hosting with others, be aware that security is an issue. With Rob's permission, this post was created by me with no access other than a standard account on the same server. If security matters to you, ask your host to sandbox properly and disable JSP. James Holmes That's all it says. No explanation of *why*, no links, nufink. Am I missing something? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209441 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
Nah, it's much easier than that. I'll send the info privately now. -Original Message- From: Damien McKenna [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 June 2005 9:24 To: CF-Talk Subject: RE: CF on shared hosting > No, you aren't missing anything - it's just a demo of how failing to > disable JSP can lead to a hacked website, because that's how I added > the blog (hacking). Ah, ok, now I get it. Doh! Scary. So what did you do to insert the record? Did you trawl the server for config files, or something else? ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209388 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
> No, you aren't missing anything - it's just a demo of how failing > to disable JSP can lead to a hacked website, because that's how > I added the blog (hacking). Ah, ok, now I get it. Doh! Scary. So what did you do to insert the record? Did you trawl the server for config files, or something else? -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 #include ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209386 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
No, you aren't missing anything - it's just a demo of how failing to disable JSP can lead to a hacked website, because that's how I added the blog (hacking). I didn't really want to give a script kiddie step-by-step (there's enough out there already without giving them even more info) but I can send more details privately if you want. -Original Message- From: Damien McKenna [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 June 2005 9:05 To: CF-Talk Subject: RE: CF on shared hosting > http://www.robrohan.com/blog/index.cfm?mode=entry&entry=EDCB81 > D8-C8F0-B537-1824A53C962059D3 I don't see anything at this page beyond: Guest Blogger - Shared Host Security When sharing CF hosting with others, be aware that security is an issue. With Rob's permission, this post was created by me with no access other than a standard account on the same server. If security matters to you, ask your host to sandbox properly and disable JSP. James Holmes That's all it says. No explanation of *why*, no links, nufink. Am I missing something? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209384 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
> http://www.robrohan.com/blog/index.cfm?mode=entry&entry=EDCB81 > D8-C8F0-B537-1824A53C962059D3 I don't see anything at this page beyond: Guest Blogger - Shared Host Security When sharing CF hosting with others, be aware that security is an issue. With Rob's permission, this post was created by me with no access other than a standard account on the same server. If security matters to you, ask your host to sandbox properly and disable JSP. James Holmes That's all it says. No explanation of *why*, no links, nufink. Am I missing something? -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 #include ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209382 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
I can't elaborate on any fiddling with the java security policy - I'm just guessing that something might be possible (although I have doubts). As for the JSP security problem, here's the links I've been sending to people: http://www.macromedia.com/devnet/security/security_zone/mpsb02-04.html http://www.robrohan.com/blog/index.cfm?mode=entry&entry=EDCB81D8-C8F0-B5 37-1824A53C962059D3 Note that I can still achieve the results of the second link on my current Smarterlinux account (as of 30 seconds ago, because I just checked). -Original Message- From: Robertson-Ravo, Neil (RX) [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 June 2005 7:04 To: CF-Talk Subject: RE: CF on shared hosting Can you elaborate? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209380 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
Can you elaborate? -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: 14 June 2005 02:49 To: CF-Talk Subject: RE: CF on shared hosting The Jrun used with a CF Standalone install has no real security - you might try to edit the java security policy file directly but I doubt that would be easy. The JSP files then run with no sandboxing, able to veiw the entire server and do everything that an unsandboxed CF install can do. -Original Message- From: Calvin Ward [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 June 2005 2:10 To: CF-Talk Subject: RE: CF on shared hosting Why is Jrun unsuitable? - Calvin ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209377 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
I would agree that CF Standalone is unsuitable for shared hosting. - Calvin -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Monday, June 13, 2005 9:49 PM To: CF-Talk Subject: RE: CF on shared hosting The Jrun used with a CF Standalone install has no real security - you might try to edit the java security policy file directly but I doubt that would be easy. The JSP files then run with no sandboxing, able to veiw the entire server and do everything that an unsandboxed CF install can do. -Original Message- From: Calvin Ward [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 June 2005 2:10 To: CF-Talk Subject: RE: CF on shared hosting Why is Jrun unsuitable? - Calvin ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209376 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
The Jrun used with a CF Standalone install has no real security - you might try to edit the java security policy file directly but I doubt that would be easy. The JSP files then run with no sandboxing, able to veiw the entire server and do everything that an unsandboxed CF install can do. -Original Message- From: Calvin Ward [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 June 2005 2:10 To: CF-Talk Subject: RE: CF on shared hosting Why is Jrun unsuitable? - Calvin ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209370 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
From: Calvin Ward [mailto:[EMAIL PROTECTED] > > > - JSP should not be allowed to run on the CF server (for > > > security reasons) > > > > Beyond the rationale that the bundled version of JRun is > > unsuitable for shared hosting, > > Why is Jrun unsuitable? If they're telling you to disable JSP then IMHO then it is unsuitable for use for JSP serving shared hosting. I'm still trying to work out the full details myself, especially as to whethere any J2EE platforms are suitable for this. -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 #include ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209329 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
Why is Jrun unsuitable? - Calvin -Original Message- From: Damien McKenna [mailto:[EMAIL PROTECTED] Sent: Monday, June 13, 2005 11:41 AM To: CF-Talk Subject: RE: CF on shared hosting > - For security, sandboxing should disable CFOBJECT/Createobject() (to > prevent Java objects being instantiated) > - JSP should not be allowed to run on the CF server (for security > reasons) Beyond the rationale that the bundled version of JRun is unsuitable for shared hosting, is there a reason to not support e.g. a different JSP container? I ask because I was considering switching to SmarterLinux for web hosting and they provide JSP using a non-JRun container. -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 #include ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209324 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
I'm still waiting for the security on those SmarterLinux JSP installs (since I can still traverse my SmarterLinux server), but anything that has a manageable security policy is OK. -Original Message- From: Damien McKenna [mailto:[EMAIL PROTECTED] Sent: Monday, 13 June 2005 11:41 To: CF-Talk Subject: RE: CF on shared hosting > - For security, sandboxing should disable CFOBJECT/Createobject() (to > prevent Java objects being instantiated) > - JSP should not be allowed to run on the CF server (for security > reasons) Beyond the rationale that the bundled version of JRun is unsuitable for shared hosting, is there a reason to not support e.g. a different JSP container? I ask because I was considering switching to SmarterLinux for web hosting and they provide JSP using a non-JRun container. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209298 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
> - For security, sandboxing should disable CFOBJECT/Createobject() (to > prevent Java objects being instantiated) > - JSP should not be allowed to run on the CF server (for security > reasons) Beyond the rationale that the bundled version of JRun is unsuitable for shared hosting, is there a reason to not support e.g. a different JSP container? I ask because I was considering switching to SmarterLinux for web hosting and they provide JSP using a non-JRun container. -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 #include ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209295 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CF on shared hosting
If no-one comes up with any existing resources I'd be happy to collect the info and blog it. I've been going on about shared host security for a while and many of the people on this list have had various experiences with shared hosting. Some basic ideas that come to mind as being worth discussion (i.e. I'm not claiming they are cast in stone as best practices but they make sense to me) are: - Shared CF should be done on CF Enterprise; security is near impossible on shared CF standard - All accounts need to be sandboxed for file access - For security, sandboxing should disable CFOBJECT/Createobject() (to prevent Java objects being instantiated) - JSP should not be allowed to run on the CF server (for security reasons) - Server accounts (FTP, SSH) need to be set up such that people can't read others' files via directory browsing - Either datasource usernames and passwords should be in the code and not saved in the CF Admin or all datasources should be sandboxed - Application scope data should contain no vital info as everyone one the sever has access to your application scope if they can determine the application name (which should be hard to predict and unique server-wide) - Tags and CFCs in custom tag paths and mappings should have a server-wide unique name and should have a unique directory name in the calling path in the case of CFCs I demonstrated the results possible when some of the above are missing here: http://www.robrohan.com/blog/index.cfm?mode=entry&entry=EDCB81D8-C8F0-B5 37-1824A53C962059D3 -Original Message- From: Anthony Crawford [mailto:[EMAIL PROTECTED] Sent: Sunday, 12 June 2005 10:39 To: CF-Talk Subject: CF on shared hosting Hi I am wondering if there are any resources on the net that describe best practices or FAQ's wrt building apps that are hosted on shared accounts. thanks ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:209251 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54