RE: Shared CF Host security
At the moment, if you use GetPageContext().include() on a JSP on my SmarterLinux server you get a null pointer exception. Regardless, 2 is the case and the code will run in the CF security context of the calling page. The CF sandboxing takes over in this case. Anyone can verify this on their own dev server (as I have just done). Since the server is sandboxed this is perfectly acceptable. Good, good. It's about time something went my way. :-) Anyone else care to poke at this security update and see if it's got any holes? ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208695 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
I thought I posted this the other day, but it didn't update for some reason. Here it is again: Never let it be said that HostMySite.com doesn't listen to it's customers. After much work we've been able to find a fix for the security issue that allows safe execution of JSP and CF. On our Linux servers, we actually run two J2EE environments - JRun and Resin. While JRun does handle the Java processing for ColdFusion, Resin handles the requests for JSP pages and servlets. Java implements a security policy system that can prevent access. We have implemented security managemetn in the Resin server to prevent JSP pages from being able to read arbitrary files on the server. We have restricted code from each customer's home directory to: 1) a lengthy list of files and directories that Java and Resin require internally 2) log files for the site and for Resin 3) that customer's home directory. If anyone has any questions about this or needs any further information, feel free to post or send me a question off-list. Thanks again for bringin this to our attention! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208506 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
James, Can you send me an email ([EMAIL PROTECTED]) with your domain name? I'll check on your server and see if it's misbehaving, and if so get it locked down by the end of the day. Well, this isn't the case on my SmarterLinux server. I can still browse, download and view every file on the server using JSP. ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208508 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Jochem, Can you email me offlist with what you're interested in? [EMAIL PROTECTED] Thanks! So, security in a shared hosting environment isn't exactly a myth, it just takes a little more work and flexibility. If anyone needs a more technical explanation of what we did, please let me know via email and/or a post here and I'd be happy to assist. I am very interested. Jochem ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208509 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Ok somehow I doubled the thread and made two. Sorry! I thought I posted this the other day, but it didn't update for some reason. Here it is again: ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208515 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
We actually run two J2EE environments - JRun and Resin. While JRun does handle the Java processing for ColdFusion, Resin handles the requests for JSP pages and servlets. What happens if you use getPageContext.include() from within a CFML page to invoke a JSP page directly? Good questionThere's two possibilities: 1) CF makes the request for the page via Apache (as I think it *should*, to preserve the users' preferences about type handling, rewrites and other such web server configurations). In this case, the JSP is still handled through Resin, same situation applies. 2) Cf is hijacks it straight to JRun (which I think is more likely, since the user has put JSP code into a ColdFusion page, supposing that CF will happily run JSP code from a .cfm page. Not sure if that's correct behavior or not.). In this case, they have avoided the security we have implemented. Anyone care to test this? Dave your account is on the only server running this config on our network right now - can you test what he's talking about? Also, we'll have the other Linux CF servers done over the weekend, I believe. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208558 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
At the moment, if you use GetPageContext().include() on a JSP on my SmarterLinux server you get a null pointer exception. Regardless, 2 is the case and the code will run in the CF security context of the calling page. The CF sandboxing takes over in this case. Anyone can verify this on their own dev server (as I have just done). Since the server is sandboxed this is perfectly acceptable. -Original Message- From: Jamie Price [mailto:[EMAIL PROTECTED] Sent: Saturday, 4 June 2005 3:11 To: CF-Talk Subject: RE: Shared CF Host security We actually run two J2EE environments - JRun and Resin. While JRun does handle the Java processing for ColdFusion, Resin handles the requests for JSP pages and servlets. What happens if you use getPageContext.include() from within a CFML page to invoke a JSP page directly? Good questionThere's two possibilities: 1) CF makes the request for the page via Apache (as I think it *should*, to preserve the users' preferences about type handling, rewrites and other such web server configurations). In this case, the JSP is still handled through Resin, same situation applies. 2) Cf is hijacks it straight to JRun (which I think is more likely, since the user has put JSP code into a ColdFusion page, supposing that CF will happily run JSP code from a .cfm page. Not sure if that's correct behavior or not.). In this case, they have avoided the security we have implemented. Anyone care to test this? Dave your account is on the only server running this config on our network right now - can you test what he's talking about? Also, we'll have the other Linux CF servers done over the weekend, I believe. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208586 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Don't ever let it be said that we don't listen to the voices of our clients. :-) We've implemented a fix for this security issue that spans all of our Linux servers running ColdFusion. Here's a synopsis from one of the techs involved in implementing the change: We actually run two J2EE environments - JRun and Resin. While JRun does handle the Java processing for ColdFusion, Resin handles the requests for JSP pages and servlets. Java implements a security policy system that can prevent access. We have implemented security managemetn in the Resin server to prevent JSP pages from being able to read arbitrary files on the server. We have restricted code from each customer's home directory to: 1) a lengthy list of files and directories that Java and Resin require internally 2) log files for the site and for Resin 3) that customer's home directory. So, security in a shared hosting environment isn't exactly a myth, it just takes a little more work and flexibility. If anyone needs a more technical explanation of what we did, please let me know via email and/or a post here and I'd be happy to assist. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208454 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Don't ever let it be said that we don't listen to the voices of our clients. :-) and Jamie you are from what company?? ;-) Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com/54 ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208457 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Jamie Price wrote: We actually run two J2EE environments - JRun and Resin. While JRun does handle the Java processing for ColdFusion, Resin handles the requests for JSP pages and servlets. Java implements a security policy system that can prevent access. We have implemented security managemetn in the Resin server to prevent JSP pages from being able to read arbitrary files on the server. We have restricted code from each customer's home directory to: 1) a lengthy list of files and directories that Java and Resin require internally 2) log files for the site and for Resin 3) that customer's home directory. So you moved .jsp processing from JRun to Resin, and then secured Resin using Policy Files. Are you still using the Sandboxes functionality native to CF to secure CF or are you using Policy Files there too? So, security in a shared hosting environment isn't exactly a myth, it just takes a little more work and flexibility. If anyone needs a more technical explanation of what we did, please let me know via email and/or a post here and I'd be happy to assist. I am very interested. Jochem ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208459 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
We actually run two J2EE environments - JRun and Resin. While JRun does handle the Java processing for ColdFusion, Resin handles the requests for JSP pages and servlets. What happens if you use getPageContext.include() from within a CFML page to invoke a JSP page directly? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208460 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Thanks for the post, Jamie. I actually have a SmarterLinux hosting acct with you guys that runs my last-ditch server monitor for my dedicated boxes. Not exactly top secret code but its nice to see you guys make this effort, especially given how rare such effort is these days. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208461 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
fyi~ for those who don't know Jamie is from Hostmysite.com, smarterlinux.com. while it was a issue at least it has been resolved and the other unnamed (ct) host as far as my knowledge not taking it seriously as of yet, even though they claimed they were secure and it wouldn't happen there we tried it and it did. So anyways, thanks Jamie :) tis why you will get my business :) (and harassment haha) ~Dave the disruptor~ This bottle of lemonaid says contains no lemon juice and the can of Pledge says contains real lemon juice figures @%*((% From: Matt Robertson [EMAIL PROTECTED] Sent: Thursday, June 02, 2005 7:06 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security Thanks for the post, Jamie. I actually have a SmarterLinux hosting acct with you guys that runs my last-ditch server monitor for my dedicated boxes. Not exactly top secret code but its nice to see you guys make this effort, especially given how rare such effort is these days. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208469 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
I'll second that - I was the whiner that started this post and I have to say that most hosts would have invited me to take my business elsewhere instead of putting in the work to create a more secure environment. We'll see how this solution goes. -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Friday, 3 June 2005 7:04 To: CF-Talk Subject: Re: Shared CF Host security Thanks for the post, Jamie. I actually have a SmarterLinux hosting acct with you guys that runs my last-ditch server monitor for my dedicated boxes. Not exactly top secret code but its nice to see you guys make this effort, especially given how rare such effort is these days. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208478 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Well, this isn't the case on my SmarterLinux server. I can still browse, download and view every file on the server using JSP. -Original Message- From: Jamie Price [mailto:[EMAIL PROTECTED] Sent: Friday, 3 June 2005 6:06 To: CF-Talk Subject: Re: Shared CF Host security Don't ever let it be said that we don't listen to the voices of our clients. :-) We've implemented a fix for this security issue that spans all of our Linux servers running ColdFusion. Here's a synopsis from one of the techs involved in implementing the change: We actually run two J2EE environments - JRun and Resin. While JRun does handle the Java processing for ColdFusion, Resin handles the requests for JSP pages and servlets. Java implements a security policy system that can prevent access. We have implemented security managemetn in the Resin server to prevent JSP pages from being able to read arbitrary files on the server. We have restricted code from each customer's home directory to: 1) a lengthy list of files and directories that Java and Resin require internally 2) log files for the site and for Resin 3) that customer's home directory. So, security in a shared hosting environment isn't exactly a myth, it just takes a little more work and flexibility. If anyone needs a more technical explanation of what we did, please let me know via email and/or a post here and I'd be happy to assist. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208479 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
I don't think they have gotten to all the servers yet, just mine :) ~Dave the disruptor~ This bottle of lemonaid says contains no lemon juice and the can of Pledge says contains real lemon juice figures @%*((% From: James Holmes [EMAIL PROTECTED] Sent: Thursday, June 02, 2005 11:01 PM To: CF-Talk cf-talk@houseoffusion.com Subject: RE: Shared CF Host security Well, this isn't the case on my SmarterLinux server. I can still browse, download and view every file on the server using JSP. -Original Message- From: Jamie Price [mailto:[EMAIL PROTECTED] Sent: Friday, 3 June 2005 6:06 To: CF-Talk Subject: Re: Shared CF Host security Don't ever let it be said that we don't listen to the voices of our clients. :-) We've implemented a fix for this security issue that spans all of our Linux servers running ColdFusion. Here's a synopsis from one of the techs involved in implementing the change: We actually run two J2EE environments - JRun and Resin. While JRun does handle the Java processing for ColdFusion, Resin handles the requests for JSP pages and servlets. Java implements a security policy system that can prevent access. We have implemented security managemetn in the Resin server to prevent JSP pages from being able to read arbitrary files on the server. We have restricted code from each customer's home directory to: 1) a lengthy list of files and directories that Java and Resin require internally 2) log files for the site and for Resin 3) that customer's home directory. So, security in a shared hosting environment isn't exactly a myth, it just takes a little more work and flexibility. If anyone needs a more technical explanation of what we did, please let me know via email and/or a post here and I'd be happy to assist. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208480 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Jamie Price wrote: CFObject is insecure in v5.0 Correct. but with the advent of sandboxes I believe it was deemed safe in MX versions. If you believe I'm mistaken on that point please let me know. I believe you are mistaken. If you allow cfobject, users can enumerate applications and sessions, access the cf administrator and who knows what else: http://tech.badpen.com/index.cfm?mode=entryentry=3 http://spike.oli.tudelft.nl/jochemd/index.cfm?PageID=12 You will want to disable Java and COM. With CF 6.1 that means you need to disable all object access, with CF 7 you can disable just Java and COM. Sandboxing isn't quite as simple as you make it out to be - it's not enough to simply have access restricted to the webroot. You also need to implement a host of other directories that CF needs access to for various reasons. Here's an example from one of our servers running MX 7.0 c:\websites\DOMAIN_NAME\ Read,Write,Execute,Delete c:\websites\DOMAIN_NAME\- Read,Write,Execute,Delete c:\cfusionmx7\lib\updates Read c:\cfusionmx7\lib\updates\- Read c:\cfusionmx7\lib\cfxneo.dll Read c:\cfusionmx7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp Read c:\cfusionmx7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\- Read c:\cfusionmx7\customtags\ Read,Execute c:\cfusionmx7\customtags\- Read,Execute c:\cfusionmx7\cfx\ Read c:\cfusionmx7\cfx\- Read c:\cfusionmx7\wwwroot\cfide Read c:\cfusionmx7\wwwroot\cfide\- Read c:\CFusionMX7\lib\vadmin.jar Read c:\CFusionMX7\lib\verity.jar Read I don't see the objection against running c:\cfusionmx7 as Read. (But I do protect jvm.config against change using Windows ACLs.) Jochem ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207119 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
With CFOBJECT on a 6.1 sever one can instantiate all of the CF factory objects and effectively take control of the entire server. I can privately send some live demos if you need visible proof. As for JSP, you would need to apply a Java security policy that simultaneously provides adequate security for users and allows CF to continue to run. I suspect that this will be as hard to maintain as other solutions, but if you can do it then great. -Original Message- From: Jamie Price [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 12:35 To: CF-Talk Subject: RE: Shared CF Host security But with JSP enabled I am broadcasting my username and password to everyone on the server, as they can read my code. Right - I was just trying to clarify that there were two separate issues at hand there. The JSP one is definitely an issue; datasources on the other hand run more to personal preference. Assuming that the JSP issue is resolved, the datasource problem is effectively solved as well. As dave suggested, a slight reorganisation of servers (or even instances on the same server) such that some run JSP and some don't would suffice. Customers needing JSP can take their chances on those servers and those who want some security can have the servers wherein it is disabled. That's being considered as one alternative, but I'd personally like to avoid it if at all possible as it leads to complications on our end. This shouldn't be seen as laziness, it's just a reality - the more complex the backend is the more likely it is that there will be an issue of some sort when it comes time to update the servers. Or having to explain to a novice JSP user why this stuff is insecure shudder. I'd rather have it running and locked down permanently. Plus the idea of knowingly putting up a server with a gaping hole in security turns my stomach a little. For a shared host, the best CF security involves turning off JSP, disabling CFOBJECT and createobject() for all customers and sandboxing files for every app to allow access to only the account directory. If you can provide some servers with this config (secure hosting servers) and others with the more relaxed JSP option, you take care of both sets of needs and I stop whining like a child. CFObject is insecure in v5.0, but with the advent of sandboxes I believe it was deemed safe in MX versions. If you believe I'm mistaken on that point please let me know. Currently our server config only disallows use of CFExecute and CFRegistry, both for fairly obvious reasons. Also RDS is disabled, but that should be given as well. Sandboxing isn't quite as simple as you make it out to be - it's not enough to simply have access restricted to the webroot. You also need to implement a host of other directories that CF needs access to for various reasons. Here's an example from one of our servers running MX 7.0 c:\websites\DOMAIN_NAME\ Read,Write,Execute,Delete c:\websites\DOMAIN_NAME\- Read,Write,Execute,Delete c:\cfusionmx7\lib\updates Read c:\cfusionmx7\lib\updates\- Read c:\cfusionmx7\lib\cfxneo.dll Read c:\cfusionmx7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp Read c:\cfusionmx7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\- Read c:\cfusionmx7\customtags\ Read,Execute c:\cfusionmx7\customtags\- Read,Execute c:\cfusionmx7\cfx\ Read c:\cfusionmx7\cfx\- Read c:\cfusionmx7\wwwroot\cfide Read c:\cfusionmx7\wwwroot\cfide\- Read c:\CFusionMX7\lib\vadmin.jar Read c:\CFusionMX7\lib\verity.jar Read And this is just a server that started out as v7. You should see one of the ones that was upgraded from v6.1. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207120 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
On 5/19/05, Jochem van Dieten [EMAIL PROTECTED] wrote: You will want to disable Java and COM. With CF 6.1 that means you need to disable all object access, with CF 7 you can disable just Java and COM. There is currently a bug in CFMX7 sandboxing in that if you disable COM it also disables CFCs. Just something else to be aware of. Andy -- [EMAIL PROTECTED] www.creative-restraint.co.uk www.scottishcfug.com ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207123 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Ah sweet UNIX - no worry about COM, sandbox or not. -Original Message- From: Andy Allan [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 4:33 To: CF-Talk Subject: Re: Shared CF Host security On 5/19/05, Jochem van Dieten [EMAIL PROTECTED] wrote: You will want to disable Java and COM. With CF 6.1 that means you need to disable all object access, with CF 7 you can disable just Java and COM. There is currently a bug in CFMX7 sandboxing in that if you disable COM it also disables CFCs. Just something else to be aware of. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207124 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
I would definitely entertain using sandbox security to limit the database access, I trust that you're already using it to limit cffile access? On 5/18/05 10:10 PM, Jamie Price [EMAIL PROTECTED] wrote: At this point in the discussion I'd like to invite anyone who knows of a shared host WITH A CLUE to give us all their details... Dave alerted me to this thread and the problem with CFMX + JSP just today, so I'm going to be investigating this as well on the HMS end. I can tell you that the initial reason why JSP can't be locked down is that a number of clients are using it for a legitimate purpose - we can't just shut it off and tell those clients that we suddenly became security-conscious and they have to deal and find a shoddy host that will let them run their app. On the other hand, I can't see us allowing this to continue either. Just because you're on a shared host it doesn't mean that you're on an insecure server. It will never be as tightly locked down as a dedicated server (or even a VPS, which is new at HostMySite) however that doesn't mean you're publishing your code for the world to see. IF that were the case we would change our name to HostMyBBS. :-) Seriously, I will be taking this up with the CEO and COO tomorrow, and we'll be looking into possible alternatives so everyone gets what they want. I suspect the solution will be a little different for Windows as opposed to the Linux-based sites, however I'm not fluent in CFMX/JSP so I can't say for certain. If any of you have any suggestions that would accomplish both the functionality and the security, I'd be more than happy to entertain them and bring them before the CEO. I can assure you that your suggestions will not be brushed aside lightly for ANY reason. Along a similar vein, locking down datasources via sandbox security was at one time considered, however it was discarded I believe because clients can attain the same level of security by simply adding a user/pass to their code via the Application.cfm and referencing the datasource that way. We will add the user/pass to the DSN upon request, however we ALWAYS tell clients before doing so that they are basically inviting other users on the server to read/write to their database. If you have any questions and the CF mods have no problems with my being here, please feel free to post them and I'll either answer them to the best of my ability or find another rep from HostMySite.com who can. Jamie Price Email Administrator, Sr. Tech Support Rep HostMySite.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207127 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
The items that have to be disabled completely keep me off of shared hosting. Not having cfobject/createobject in CFMX is like running a race with your nikes tied together dangling around your neck instead of on your feet! - Calvin On 5/18/05 10:21 PM, James Holmes [EMAIL PROTECTED] wrote: however it was discarded I believe because clients can attain the same level of security by simply adding a user/pass to their code via the Application.cfm and referencing the datasource that way. But with JSP enabled I am broadcasting my username and password to everyone on the server, as they can read my code. As dave suggested, a slight reorganisation of servers (or even instances on the same server) such that some run JSP and some don't would suffice. Customers needing JSP can take their chances on those servers and those who want some security can have the servers wherein it is disabled. For a shared host, the best CF security involves turning off JSP, disabling CFOBJECT and createobject() for all customers and sandboxing files for every app to allow access to only the account directory. If you can provide some servers with this config (secure hosting servers) and others with the more relaxed JSP option, you take care of both sets of needs and I stop whining like a child. -Original Message- From: Jamie Price [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 10:11 To: CF-Talk Subject: RE: Shared CF Host security At this point in the discussion I'd like to invite anyone who knows of a shared host WITH A CLUE to give us all their details... Dave alerted me to this thread and the problem with CFMX + JSP just today, so I'm going to be investigating this as well on the HMS end. I can tell you that the initial reason why JSP can't be locked down is that a number of clients are using it for a legitimate purpose - we can't just shut it off and tell those clients that we suddenly became security-conscious and they have to deal and find a shoddy host that will let them run their app. On the other hand, I can't see us allowing this to continue either. Just because you're on a shared host it doesn't mean that you're on an insecure server. It will never be as tightly locked down as a dedicated server (or even a VPS, which is new at HostMySite) however that doesn't mean you're publishing your code for the world to see. IF that were the case we would change our name to HostMyBBS. :-) Seriously, I will be taking this up with the CEO and COO tomorrow, and we'll be looking into possible alternatives so everyone gets what they want. I suspect the solution will be a little different for Windows as opposed to the Linux-based sites, however I'm not fluent in CFMX/JSP so I can't say for certain. If any of you have any suggestions that would accomplish both the functionality and the security, I'd be more than happy to entertain them and bring them before the CEO. I can assure you that your suggestions will not be brushed aside lightly for ANY reason. Along a similar vein, locking down datasources via sandbox security was at one time considered, however it was discarded I believe because clients can attain the same level of security by simply adding a user/pass to their code via the Application.cfm and referencing the datasource that way. We will add the user/pass to the DSN upon request, however we ALWAYS tell clients before doing so that they are basically inviting other users on the server to read/write to their database. If you have any questions and the CF mods have no problems with my being here, please feel free to post them and I'll either answer them to the best of my ability or find another rep from HostMySite.com who can. Jamie Price Email Administrator, Sr. Tech Support Rep HostMySite.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207128 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Andy Allan wrote: On 5/19/05, Jochem van Dieten [EMAIL PROTECTED] wrote: You will want to disable Java and COM. With CF 6.1 that means you need to disable all object access, with CF 7 you can disable just Java and COM. There is currently a bug in CFMX7 sandboxing in that if you disable COM it also disables CFCs. You could delete the JIntegra directory from the harddisk, presumably that disables COM too :) I have actually ran a test system without that directory for a few hours without seeing detrimental effects, but you might want to test that yourself on a test server. Jochem ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207134 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
It's not that bad - you can still instantiate a CFC by using CFINVOKE on a component that returns THIS. You just lose Java and COM. -Original Message- From: Calvin Ward [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 6:43 To: CF-Talk Subject: Re: Shared CF Host security The items that have to be disabled completely keep me off of shared hosting. Not having cfobject/createobject in CFMX is like running a race with your nikes tied together dangling around your neck instead of on your feet! - Calvin ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207135 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
You will want to disable Java and COM. With CF 6.1 that means you need to disable all object access, with CF 7 you can disable just Java and COM. Are you referring to simply disabling the createobject(Java) and createobject(COM) CFML functions? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207154 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
You could delete the JIntegra directory from the harddisk, presumably that disables COM too :) Actually, I'm not sure that would disable COM from CF. The stuff in that directory consists mainly of helper and diagnostic applications. I suspect you'd have to delete the jintegra.jar file within the lib directory. Of course, I haven't tested any of this so it's all just pure speculation on my part. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207178 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
I'm trying to test one of the scripts provided to my by Dave in a Windows environ but I'm getting this error: 500 Translator.WrongCase/buddman/jspbrowser/browser.jspbrowser.jspBrowser.jsp Translator.WrongCase/buddman/jspbrowser/browser.jspbrowser.jspBrowser.jsp Can anyone tell me how to make this exploit work in Windows so I can determine a patch? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207217 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
forget I said that - I figured it out. :-) ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207219 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Mike D. At this point I might make a suggestion that you completely delete this thread before it gets googled. We know about the problem and a solution is being vigourously sought after but I see no point in having every hacker online alerted to this until a solution is found. IMO, removing this thread will only benefit us all. ~Dave the disruptor~ From: Jamie Price [EMAIL PROTECTED] Sent: Thursday, May 19, 2005 4:04 PM To: CF-Talk cf-talk@houseoffusion.com Subject: RE: Shared CF Host security I'm trying to test one of the scripts provided to my by Dave in a Windows environ but I'm getting this error: 500 Translator.WrongCase/buddman/jspbrowser/browser.jspbrowser.jspBrowser.jsp Translator.WrongCase/buddman/jspbrowser/browser.jspbrowser.jspBrowser.jsp Can anyone tell me how to make this exploit work in Windows so I can determine a patch? ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207223 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Excellent idea Dave -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 6:07 PM To: CF-Talk Subject: RE: Shared CF Host security Mike D. At this point I might make a suggestion that you completely delete this thread before it gets googled. We know about the problem and a solution is being vigourously sought after but I see no point in having every hacker online alerted to this until a solution is found. IMO, removing this thread will only benefit us all. ~Dave the disruptor~ From: Jamie Price [EMAIL PROTECTED] Sent: Thursday, May 19, 2005 4:04 PM To: CF-Talk cf-talk@houseoffusion.com Subject: RE: Shared CF Host security I'm trying to test one of the scripts provided to my by Dave in a Windows environ but I'm getting this error: 500 Translator.WrongCase/buddman/jspbrowser/browser.jspbrowser.jspBrowser.js p Translator.WrongCase/buddman/jspbrowser/browser.jspbrowser.jspBrowser.js p Can anyone tell me how to make this exploit work in Windows so I can determine a patch? ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207226 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
At this point I might make a suggestion that you completely delete this thread before it gets googled. We know about the problem and a solution is being vigourously sought after but I see no point in having every hacker online alerted to this until a solution is found. IMO, removing this thread will only benefit us all. Good luck with that. I mean, using tools like this is essentially SOP for people trying to find vulnerabilities in a shared hosting environment, as far as I can tell. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207228 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
In this case, full read access to the filesystem via JSP (meaning that even if passwords are not set in the CF Admin, they can be obtained from the code) and no sandboxing of datasources (on my account at least, but that may be irrelevant since JSP is installed). That's all it took to accomplish this example, but I could have done more as CFOBJECT / createObject() are also enabled. A reasonable attempt at security would entail disabling JSP, disabling CFOBJECT/createObject() and sandboxing datasources and files. -Original Message- From: Jim McAtee [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 1:07 To: CF-Talk Subject: Re: Shared CF Host security So what exactly is the security issue? Username/password set in the datasource? Full access to the file system? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206988 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
James Holmes wrote: A reasonable attempt at security would entail disabling JSP, disabling CFOBJECT/createObject() and sandboxing datasources and files. Or just sandboxing files and not setting datasource passwords in the administrator. Jochem ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206997 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Quite right, with properly configured local accounts and JSP disabled, no datasource sandboxing is necessary if the access details are in the code and not saved in the Admin. -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 4:07 To: CF-Talk Subject: Re: Shared CF Host security James Holmes wrote: A reasonable attempt at security would entail disabling JSP, disabling CFOBJECT/createObject() and sandboxing datasources and files. Or just sandboxing files and not setting datasource passwords in the administrator. Jochem ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206999 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Has anyone approached Crystaltech or Host My Site directly about this problem? -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 4:10 AM To: CF-Talk Subject: RE: Shared CF Host security Quite right, with properly configured local accounts and JSP disabled, no datasource sandboxing is necessary if the access details are in the code and not saved in the Admin. -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 4:07 To: CF-Talk Subject: Re: Shared CF Host security James Holmes wrote: A reasonable attempt at security would entail disabling JSP, disabling CFOBJECT/createObject() and sandboxing datasources and files. Or just sandboxing files and not setting datasource passwords in the administrator. Jochem ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207008 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Two of us have approached HMS so far and I got the usual rubbish about it's shared hosting so tough. They aren't going to fix it. -Original Message- From: Tim Laureska [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 5:39 To: CF-Talk Subject: RE: Shared CF Host security Has anyone approached Crystaltech or Host My Site directly about this problem? -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 4:10 AM To: CF-Talk Subject: RE: Shared CF Host security Quite right, with properly configured local accounts and JSP disabled, no datasource sandboxing is necessary if the access details are in the code and not saved in the Admin. -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 4:07 To: CF-Talk Subject: Re: Shared CF Host security James Holmes wrote: A reasonable attempt at security would entail disabling JSP, disabling CFOBJECT/createObject() and sandboxing datasources and files. Or just sandboxing files and not setting datasource passwords in the administrator. Jochem ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207011 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Very comforting ... I'm sure CT would have a similar response maybe its time to get a dedicated box -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 5:56 AM To: CF-Talk Subject: RE: Shared CF Host security Two of us have approached HMS so far and I got the usual rubbish about it's shared hosting so tough. They aren't going to fix it. -Original Message- From: Tim Laureska [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 5:39 To: CF-Talk Subject: RE: Shared CF Host security Has anyone approached Crystaltech or Host My Site directly about this problem? -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 4:10 AM To: CF-Talk Subject: RE: Shared CF Host security Quite right, with properly configured local accounts and JSP disabled, no datasource sandboxing is necessary if the access details are in the code and not saved in the Admin. -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 4:07 To: CF-Talk Subject: Re: Shared CF Host security James Holmes wrote: A reasonable attempt at security would entail disabling JSP, disabling CFOBJECT/createObject() and sandboxing datasources and files. Or just sandboxing files and not setting datasource passwords in the administrator. Jochem ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207012 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Forget VPS? What could possibly make you say that? VPS Accounts are *awesome*. VPS is the kind of hosting that I would want as a developer if we didn't already offer it ourselves. And with prices starting at $18 per month (the same price as most starter shared hosting accounts) and the absolute freedom that VPS accounts offer, I fail to see how you can say Forget VPS? Care to elaborate? -- Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ [EMAIL PROTECTED] Rey Bango wrote: I guess I'm trying to understand how your host can be so sloppy. I don't recall ever being on a shared hosting environment that had that problem. Forget VPS, get yourself a new host. Rey.. James Holmes wrote: While security can never be perfect in a shared hosting environment, am I expecting too much to have at least a modicum of security on a shared server? For example, if others can access my datasources and do whatever they want to my database and they can read all of the source code of my apps, I get a little concerned. I know I can buy VPS hosting for genuine security, but would anyone else expect a shared host to at least attempt some security or would they be happy to just have them give up and allow open slather? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207033 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Why would you not implement sandboxing? Seems there would be NO reason for an hosting provider to not use it. -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 1:10 AM To: CF-Talk Subject: RE: Shared CF Host security Quite right, with properly configured local accounts and JSP disabled, no datasource sandboxing is necessary if the access details are in the code and not saved in the Admin. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207034 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
All of my attempts with CT have fallen on deaf ears. They just keep repeating that they checked all the settings and it's all correct. Even though I've been able to prove them wrong on more than one occasion. -Original Message- From: Tim Laureska [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 2:39 AM To: CF-Talk Subject: RE: Shared CF Host security Has anyone approached Crystaltech or Host My Site directly about this problem? ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207037 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
General laziness I guess, since that's what I'm experiencing right now... -Original Message- From: Connie DeCinko [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 11:30 To: CF-Talk Subject: RE: Shared CF Host security Why would you not implement sandboxing? Seems there would be NO reason for an hosting provider to not use it. -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 1:10 AM To: CF-Talk Subject: RE: Shared CF Host security Quite right, with properly configured local accounts and JSP disabled, no datasource sandboxing is necessary if the access details are in the code and not saved in the Admin. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207038 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
The price is the same but for the extra security at that same price I would lose a lot of bandwidth etc. I'm not complaining about the cost of VPS hosting - I know I get what I pay for. VPS is probably my next step in hosting. -Original Message- From: Jordan Michaels [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 11:28 To: CF-Talk Subject: Re: Shared CF Host security Forget VPS? What could possibly make you say that? VPS Accounts are *awesome*. VPS is the kind of hosting that I would want as a developer if we didn't already offer it ourselves. And with prices starting at $18 per month (the same price as most starter shared hosting accounts) and the absolute freedom that VPS accounts offer, I fail to see how you can say Forget VPS? Care to elaborate? -- Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ [EMAIL PROTECTED] Rey Bango wrote: I guess I'm trying to understand how your host can be so sloppy. I don't recall ever being on a shared hosting environment that had that problem. Forget VPS, get yourself a new host. Rey.. James Holmes wrote: While security can never be perfect in a shared hosting environment, am I expecting too much to have at least a modicum of security on a shared server? For example, if others can access my datasources and do whatever they want to my database and they can read all of the source code of my apps, I get a little concerned. I know I can buy VPS hosting for genuine security, but would anyone else expect a shared host to at least attempt some security or would they be happy to just have them give up and allow open slather? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207039 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
And I thought HMS was the end-all, beat-all of shared hosting??? Is that smoke I smell behind me? -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 2:56 AM To: CF-Talk Subject: RE: Shared CF Host security Two of us have approached HMS so far and I got the usual rubbish about it's shared hosting so tough. They aren't going to fix it. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207040 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Time for a dedicated box? -Original Message- From: Connie DeCinko [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 11:34 AM To: CF-Talk Subject: RE: Shared CF Host security All of my attempts with CT have fallen on deaf ears. They just keep repeating that they checked all the settings and it's all correct. Even though I've been able to prove them wrong on more than one occasion. -Original Message- From: Tim Laureska [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 2:39 AM To: CF-Talk Subject: RE: Shared CF Host security Has anyone approached Crystaltech or Host My Site directly about this problem? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207041 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Almost. I need a couple more clients to spread the cost. And being able to win a copy of CF Enterprise would help! Guess I need to go to more UG meetings. -Original Message- From: Tim Laureska [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 8:54 AM To: CF-Talk Subject: RE: Shared CF Host security Time for a dedicated box? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207044 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Ah ... but you can only win CF Standard at UG meetings :) Andy On 5/18/05, Connie DeCinko [EMAIL PROTECTED] wrote: Almost. I need a couple more clients to spread the cost. And being able to win a copy of CF Enterprise would help! Guess I need to go to more UG meetings. -Original Message- From: Tim Laureska [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 8:54 AM To: CF-Talk Subject: RE: Shared CF Host security Time for a dedicated box? ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207047 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Speaking of CrystalTech, they have Windows *servers* for $80 monthly. Anyone taken one of those on? Seems like a perfect mail server, and if you add in BD instead and just don't use the mail server software they give to you (which is good stuff BTW), its a cheapie CF server, if your code can stomach BD. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207062 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
You might as well look at other companies too, if you start looking at dedicated servers: http://www.serverbeach.com/ http://www.ev1servers.net/ Etc. -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 #include stdjoke.h -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Speaking of CrystalTech, they have Windows *servers* for $80 monthly. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207064 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Serverbeach is a spammers haven. -Original Message- From: Damien McKenna [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 11:33 AM To: CF-Talk Subject: RE: Shared CF Host security You might as well look at other companies too, if you start looking at dedicated servers: http://www.serverbeach.com/ http://www.ev1servers.net/ Etc. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207073 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Connie DeCinko wrote: Serverbeach is a spammers haven. They were such a nuisance there is a separate DSBL dedicated exclusively to Serverbeach: serverbeach.blackholes.us Verifying the position of an ISP / hoster on spam is very important if you care about your email reaching the recipient. Always get on paper that the ISP will terminate spammers and spam supporters and that if the IPs you get from him are blacklisted you have reason for immediate termination and a refund. Jochem ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207085 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
everyone on the server can read the code so I'm screwed no matter what I do. Do you mean any other customer on the same host? You don't even have a protected area with FTP access? I would say this is not even a host, this is like sleeping in the street. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207090 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
I got $10 that says its the same on your server Claude. ~Dave the disruptor~ From: Claude Schneegans [EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 5:28 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security everyone on the server can read the code so I'm screwed no matter what I do. Do you mean any other customer on the same host? You don't even have a protected area with FTP access? I would say this is not even a host, this is like sleeping in the street. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207100 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Dave... is the only way to beat this is get a dedicated box?... at least if your with CT or HMS Tim -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 6:54 PM To: CF-Talk Subject: Re: Shared CF Host security I got $10 that says its the same on your server Claude. ~Dave the disruptor~ From: Claude Schneegans [EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 5:28 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security everyone on the server can read the code so I'm screwed no matter what I do. Do you mean any other customer on the same host? You don't even have a protected area with FTP access? I would say this is not even a host, this is like sleeping in the street. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207102 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
I dunno yet, I still have some ppl at hms working on it and some others are coming up with their own fixes. But truthfully, it's over my head... And I wouldn't assume its hms or ct only either, I would assume it's most everyones. I would be curious to see someone who has their own box to try it and see. ~Dave the disruptor~ From: Tim Laureska [EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 7:12 PM To: CF-Talk cf-talk@houseoffusion.com Subject: RE: Shared CF Host security Dave... is the only way to beat this is get a dedicated box?... at least if your with CT or HMS Tim -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 6:54 PM To: CF-Talk Subject: Re: Shared CF Host security I got $10 that says its the same on your server Claude. ~Dave the disruptor~ From: Claude Schneegans Sent: Wednesday, May 18, 2005 5:28 PM To: CF-Talk Subject: Re: Shared CF Host security everyone on the server can read the code so I'm screwed no matter what I do. Do you mean any other customer on the same host? You don't even have a protected area with FTP access? I would say this is not even a host, this is like sleeping in the street. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207103 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Hi guys, they is an article from MM about disabling JSP in the shared environment.. http://www.macromedia.com/devnet/security/security_zone/mpsb02-04.html cheers Joel -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 9:25 AM To: CF-Talk Subject: RE: Shared CF Host security I dunno yet, I still have some ppl at hms working on it and some others are coming up with their own fixes. But truthfully, it's over my head... And I wouldn't assume its hms or ct only either, I would assume it's most everyones. I would be curious to see someone who has their own box to try it and see. ~Dave the disruptor~ From: Tim Laureska [EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 7:12 PM To: CF-Talk cf-talk@houseoffusion.com Subject: RE: Shared CF Host security Dave... is the only way to beat this is get a dedicated box?... at least if your with CT or HMS Tim -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 6:54 PM To: CF-Talk Subject: Re: Shared CF Host security I got $10 that says its the same on your server Claude. ~Dave the disruptor~ From: Claude Schneegans Sent: Wednesday, May 18, 2005 5:28 PM To: CF-Talk Subject: Re: Shared CF Host security everyone on the server can read the code so I'm screwed no matter what I do. Do you mean any other customer on the same host? You don't even have a protected area with FTP access? I would say this is not even a host, this is like sleeping in the street. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207106 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Yep, I sent that article to HMS and their response was Disabling JSP is not an option. Fantastic, basic security is not an option. -Original Message- From: Joel Nath [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 9:08 To: CF-Talk Subject: RE: Shared CF Host security Hi guys, they is an article from MM about disabling JSP in the shared environment.. http://www.macromedia.com/devnet/security/security_zone/mpsb02-04.html cheers Joel -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 9:25 AM To: CF-Talk Subject: RE: Shared CF Host security I dunno yet, I still have some ppl at hms working on it and some others are coming up with their own fixes. But truthfully, it's over my head... And I wouldn't assume its hms or ct only either, I would assume it's most everyones. I would be curious to see someone who has their own box to try it and see. ~Dave the disruptor~ ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207107 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
I have FTP access to my account but it isn't protected from any other customer on the same box reading it, so it's at least sleeping with the door open and the lights on with the shades up. -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 11:21 To: CF-Talk Subject: Re: Shared CF Host security everyone on the server can read the code so I'm screwed no matter what I do. Do you mean any other customer on the same host? You don't even have a protected area with FTP access? I would say this is not even a host, this is like sleeping in the street. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207108 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
I would imagine that they should be using a seperate instance of jsp and not cfm's jsp for those on jsp. That makes no sense huh?? haha ~Dave the disruptor~ From: James Holmes [EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 9:22 PM To: CF-Talk cf-talk@houseoffusion.com Subject: RE: Shared CF Host security Yep, I sent that article to HMS and their response was Disabling JSP is not an option. Fantastic, basic security is not an option. -Original Message- From: Joel Nath [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 9:08 To: CF-Talk Subject: RE: Shared CF Host security Hi guys, they is an article from MM about disabling JSP in the shared environment.. http://www.macromedia.com/devnet/security/security_zone/mpsb02-04.html cheers Joel -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 9:25 AM To: CF-Talk Subject: RE: Shared CF Host security I dunno yet, I still have some ppl at hms working on it and some others are coming up with their own fixes. But truthfully, it's over my head... And I wouldn't assume its hms or ct only either, I would assume it's most everyones. I would be curious to see someone who has their own box to try it and see. ~Dave the disruptor~ ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207109 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Yes, I was thinking that myself. They deploy under Jrun so all they have to do is have some instances with JSP for those who don't care and some without for those who want some form of security. There's enough servers to go around to have some of each. -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 9:25 To: CF-Talk Subject: RE: Shared CF Host security I would imagine that they should be using a seperate instance of jsp and not cfm's jsp for those on jsp. That makes no sense huh?? haha ~Dave the disruptor~ From: James Holmes [EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 9:22 PM To: CF-Talk cf-talk@houseoffusion.com Subject: RE: Shared CF Host security Yep, I sent that article to HMS and their response was Disabling JSP is not an option. Fantastic, basic security is not an option. -Original Message- From: Joel Nath [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 9:08 To: CF-Talk Subject: RE: Shared CF Host security Hi guys, they is an article from MM about disabling JSP in the shared environment.. http://www.macromedia.com/devnet/security/security_zone/mpsb02-04.html cheers Joel -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 9:25 AM To: CF-Talk Subject: RE: Shared CF Host security I dunno yet, I still have some ppl at hms working on it and some others are coming up with their own fixes. But truthfully, it's over my head... And I wouldn't assume its hms or ct only either, I would assume it's most everyones. I would be curious to see someone who has their own box to try it and see. ~Dave the disruptor~ ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207110 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
At this point in the discussion I'd like to invite anyone who knows of a shared host WITH A CLUE to give us all their details... ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207111 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
At this point in the discussion I'd like to invite anyone who knows of a shared host WITH A CLUE to give us all their details... Dave alerted me to this thread and the problem with CFMX + JSP just today, so I'm going to be investigating this as well on the HMS end. I can tell you that the initial reason why JSP can't be locked down is that a number of clients are using it for a legitimate purpose - we can't just shut it off and tell those clients that we suddenly became security-conscious and they have to deal and find a shoddy host that will let them run their app. On the other hand, I can't see us allowing this to continue either. Just because you're on a shared host it doesn't mean that you're on an insecure server. It will never be as tightly locked down as a dedicated server (or even a VPS, which is new at HostMySite) however that doesn't mean you're publishing your code for the world to see. IF that were the case we would change our name to HostMyBBS. :-) Seriously, I will be taking this up with the CEO and COO tomorrow, and we'll be looking into possible alternatives so everyone gets what they want. I suspect the solution will be a little different for Windows as opposed to the Linux-based sites, however I'm not fluent in CFMX/JSP so I can't say for certain. If any of you have any suggestions that would accomplish both the functionality and the security, I'd be more than happy to entertain them and bring them before the CEO. I can assure you that your suggestions will not be brushed aside lightly for ANY reason. Along a similar vein, locking down datasources via sandbox security was at one time considered, however it was discarded I believe because clients can attain the same level of security by simply adding a user/pass to their code via the Application.cfm and referencing the datasource that way. We will add the user/pass to the DSN upon request, however we ALWAYS tell clients before doing so that they are basically inviting other users on the server to read/write to their database. If you have any questions and the CF mods have no problems with my being here, please feel free to post them and I'll either answer them to the best of my ability or find another rep from HostMySite.com who can. Jamie Price Email Administrator, Sr. Tech Support Rep HostMySite.com ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207112 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
however it was discarded I believe because clients can attain the same level of security by simply adding a user/pass to their code via the Application.cfm and referencing the datasource that way. But with JSP enabled I am broadcasting my username and password to everyone on the server, as they can read my code. As dave suggested, a slight reorganisation of servers (or even instances on the same server) such that some run JSP and some don't would suffice. Customers needing JSP can take their chances on those servers and those who want some security can have the servers wherein it is disabled. For a shared host, the best CF security involves turning off JSP, disabling CFOBJECT and createobject() for all customers and sandboxing files for every app to allow access to only the account directory. If you can provide some servers with this config (secure hosting servers) and others with the more relaxed JSP option, you take care of both sets of needs and I stop whining like a child. -Original Message- From: Jamie Price [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 10:11 To: CF-Talk Subject: RE: Shared CF Host security At this point in the discussion I'd like to invite anyone who knows of a shared host WITH A CLUE to give us all their details... Dave alerted me to this thread and the problem with CFMX + JSP just today, so I'm going to be investigating this as well on the HMS end. I can tell you that the initial reason why JSP can't be locked down is that a number of clients are using it for a legitimate purpose - we can't just shut it off and tell those clients that we suddenly became security-conscious and they have to deal and find a shoddy host that will let them run their app. On the other hand, I can't see us allowing this to continue either. Just because you're on a shared host it doesn't mean that you're on an insecure server. It will never be as tightly locked down as a dedicated server (or even a VPS, which is new at HostMySite) however that doesn't mean you're publishing your code for the world to see. IF that were the case we would change our name to HostMyBBS. :-) Seriously, I will be taking this up with the CEO and COO tomorrow, and we'll be looking into possible alternatives so everyone gets what they want. I suspect the solution will be a little different for Windows as opposed to the Linux-based sites, however I'm not fluent in CFMX/JSP so I can't say for certain. If any of you have any suggestions that would accomplish both the functionality and the security, I'd be more than happy to entertain them and bring them before the CEO. I can assure you that your suggestions will not be brushed aside lightly for ANY reason. Along a similar vein, locking down datasources via sandbox security was at one time considered, however it was discarded I believe because clients can attain the same level of security by simply adding a user/pass to their code via the Application.cfm and referencing the datasource that way. We will add the user/pass to the DSN upon request, however we ALWAYS tell clients before doing so that they are basically inviting other users on the server to read/write to their database. If you have any questions and the CF mods have no problems with my being here, please feel free to post them and I'll either answer them to the best of my ability or find another rep from HostMySite.com who can. Jamie Price Email Administrator, Sr. Tech Support Rep HostMySite.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207113 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
I have to say I've had great luck with serverbeach - myself and a few others chipped in and got ourselves a farily high-end server at an end cost to me of under $50/month. Only catch was that we had to cough up for software licenses. On 5/18/05, Damien McKenna [EMAIL PROTECTED] wrote: You might as well look at other companies too, if you start looking at dedicated servers: http://www.serverbeach.com/ http://www.ev1servers.net/ Etc. -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 #include stdjoke.h -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Speaking of CrystalTech, they have Windows *servers* for $80 monthly. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207114 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
But with JSP enabled I am broadcasting my username and password to everyone on the server, as they can read my code. Right - I was just trying to clarify that there were two separate issues at hand there. The JSP one is definitely an issue; datasources on the other hand run more to personal preference. Assuming that the JSP issue is resolved, the datasource problem is effectively solved as well. As dave suggested, a slight reorganisation of servers (or even instances on the same server) such that some run JSP and some don't would suffice. Customers needing JSP can take their chances on those servers and those who want some security can have the servers wherein it is disabled. That's being considered as one alternative, but I'd personally like to avoid it if at all possible as it leads to complications on our end. This shouldn't be seen as laziness, it's just a reality - the more complex the backend is the more likely it is that there will be an issue of some sort when it comes time to update the servers. Or having to explain to a novice JSP user why this stuff is insecure shudder. I'd rather have it running and locked down permanently. Plus the idea of knowingly putting up a server with a gaping hole in security turns my stomach a little. For a shared host, the best CF security involves turning off JSP, disabling CFOBJECT and createobject() for all customers and sandboxing files for every app to allow access to only the account directory. If you can provide some servers with this config (secure hosting servers) and others with the more relaxed JSP option, you take care of both sets of needs and I stop whining like a child. CFObject is insecure in v5.0, but with the advent of sandboxes I believe it was deemed safe in MX versions. If you believe I'm mistaken on that point please let me know. Currently our server config only disallows use of CFExecute and CFRegistry, both for fairly obvious reasons. Also RDS is disabled, but that should be given as well. Sandboxing isn't quite as simple as you make it out to be - it's not enough to simply have access restricted to the webroot. You also need to implement a host of other directories that CF needs access to for various reasons. Here's an example from one of our servers running MX 7.0 c:\websites\DOMAIN_NAME\ Read,Write,Execute,Delete c:\websites\DOMAIN_NAME\- Read,Write,Execute,Delete c:\cfusionmx7\lib\updates Read c:\cfusionmx7\lib\updates\- Read c:\cfusionmx7\lib\cfxneo.dll Read c:\cfusionmx7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp Read c:\cfusionmx7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\- Read c:\cfusionmx7\customtags\ Read,Execute c:\cfusionmx7\customtags\- Read,Execute c:\cfusionmx7\cfx\ Read c:\cfusionmx7\cfx\- Read c:\cfusionmx7\wwwroot\cfide Read c:\cfusionmx7\wwwroot\cfide\- Read c:\CFusionMX7\lib\vadmin.jar Read c:\CFusionMX7\lib\verity.jar Read And this is just a server that started out as v7. You should see one of the ones that was upgraded from v6.1. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207117 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Hi James, There was a lengthly thread about this a few weeks ago, the archive has it at: http://www.houseoffusion.com/cf_lists/messages.cfm/forumid:4/threadid:39776 Have a good one, Joe On 5/17/05, James Holmes [EMAIL PROTECTED] wrote: While security can never be perfect in a shared hosting environment, am I expecting too much to have at least a modicum of security on a shared server? For example, if others can access my datasources and do whatever they want to my database and they can read all of the source code of my apps, I get a little concerned. I know I can buy VPS hosting for genuine security, but would anyone else expect a shared host to at least attempt some security or would they be happy to just have them give up and allow open slather? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206963 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Oh, yes, I remember that now; although its focus was the Application scope, it is still relevant. This probably sums it up, from Dave Watts: Safety and security are hardly ever the first concerns of, well, anyone. With security, just like with anything else, you get what you pay for. If you have shared hosting, you're not paying for security or safety, and any that you get is simply a happy coincidence. Ain't that the truth. -Original Message- From: Joe Rinehart [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 9:14 To: CF-Talk Subject: Re: Shared CF Host security Hi James, There was a lengthly thread about this a few weeks ago, the archive has it at: http://www.houseoffusion.com/cf_lists/messages.cfm/forumid:4/threadid:39 776 ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206964 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Aye, good advice. Having used a shared host, I'd recommend getting in touch with a tech, having them remove username/password from any datasources they've set up from you, and passing them along in your CFQuery tags. -Joe On 5/17/05, James Holmes [EMAIL PROTECTED] wrote: Oh, yes, I remember that now; although its focus was the Application scope, it is still relevant. This probably sums it up, from Dave Watts: Safety and security are hardly ever the first concerns of, well, anyone. With security, just like with anything else, you get what you pay for. If you have shared hosting, you're not paying for security or safety, and any that you get is simply a happy coincidence. Ain't that the truth. -Original Message- From: Joe Rinehart [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 9:14 To: CF-Talk Subject: Re: Shared CF Host security Hi James, There was a lengthly thread about this a few weeks ago, the archive has it at: http://www.houseoffusion.com/cf_lists/messages.cfm/forumid:4/threadid:39 776 ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206965 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
that wouldnt work because you can see the tags ~Dave the disruptor~ From: Joe Rinehart [EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 9:37 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security Aye, good advice. Having used a shared host, I'd recommend getting in touch with a tech, having them remove username/password from any datasources they've set up from you, and passing them along in your CFQuery tags. -Joe On 5/17/05, James Holmes wrote: Oh, yes, I remember that now; although its focus was the Application scope, it is still relevant. This probably sums it up, from Dave Watts: Safety and security are hardly ever the first concerns of, well, anyone. With security, just like with anything else, you get what you pay for. If you have shared hosting, you're not paying for security or safety, and any that you get is simply a happy coincidence. Ain't that the truth. -Original Message- From: Joe Rinehart [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 9:14 To: CF-Talk Subject: Re: Shared CF Host security Hi James, There was a lengthly thread about this a few weeks ago, the archive has it at: http://www.houseoffusion.com/cf_lists/messages.cfm/forumid:4/threadid:39 776 ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206966 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Yes, that's my problem - everyone on the server can read the code so I'm screwed no matter what I do. -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 9:45 To: CF-Talk Subject: Re: Shared CF Host security that wouldnt work because you can see the tags ~Dave the disruptor~ From: Joe Rinehart [EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 9:37 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security Aye, good advice. Having used a shared host, I'd recommend getting in touch with a tech, having them remove username/password from any datasources they've set up from you, and passing them along in your CFQuery tags. -Joe On 5/17/05, James Holmes wrote: Oh, yes, I remember that now; although its focus was the Application scope, it is still relevant. This probably sums it up, from Dave Watts: Safety and security are hardly ever the first concerns of, well, anyone. With security, just like with anything else, you get what you pay for. If you have shared hosting, you're not paying for security or safety, and any that you get is simply a happy coincidence. Ain't that the truth. -Original Message- From: Joe Rinehart [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 9:14 To: CF-Talk Subject: Re: Shared CF Host security Hi James, There was a lengthly thread about this a few weeks ago, the archive has it at: http://www.houseoffusion.com/cf_lists/messages.cfm/forumid:4/threadid: 39 776 ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206967 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Wow, now that's a _really_ cheap host. I'd move on - your (or your client's) intellectual property in the code has to be worth the price increase! -Joe On 5/17/05, James Holmes [EMAIL PROTECTED] wrote: Yes, that's my problem - everyone on the server can read the code so I'm screwed no matter what I do. -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 9:45 To: CF-Talk Subject: Re: Shared CF Host security that wouldnt work because you can see the tags ~Dave the disruptor~ From: Joe Rinehart [EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 9:37 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security Aye, good advice. Having used a shared host, I'd recommend getting in touch with a tech, having them remove username/password from any datasources they've set up from you, and passing them along in your CFQuery tags. -Joe On 5/17/05, James Holmes wrote: Oh, yes, I remember that now; although its focus was the Application scope, it is still relevant. This probably sums it up, from Dave Watts: Safety and security are hardly ever the first concerns of, well, anyone. With security, just like with anything else, you get what you pay for. If you have shared hosting, you're not paying for security or safety, and any that you get is simply a happy coincidence. Ain't that the truth. -Original Message- From: Joe Rinehart [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 9:14 To: CF-Talk Subject: Re: Shared CF Host security Hi James, There was a lengthly thread about this a few weeks ago, the archive has it at: http://www.houseoffusion.com/cf_lists/messages.cfm/forumid:4/threadid: 39 776 ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206969 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
Since the host is HostMySite (Smarterlinux actually, but same deal) I would have expected more, but I'm inclined to agree with you. -Original Message- From: Joe Rinehart [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 10:28 To: CF-Talk Subject: Re: Shared CF Host security Wow, now that's a _really_ cheap host. I'd move on - your (or your client's) intellectual property in the code has to be worth the price increase! -Joe On 5/17/05, James Holmes [EMAIL PROTECTED] wrote: Yes, that's my problem - everyone on the server can read the code so I'm screwed no matter what I do. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206970 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
I guess I'm trying to understand how your host can be so sloppy. I don't recall ever being on a shared hosting environment that had that problem. Forget VPS, get yourself a new host. Rey.. James Holmes wrote: While security can never be perfect in a shared hosting environment, am I expecting too much to have at least a modicum of security on a shared server? For example, if others can access my datasources and do whatever they want to my database and they can read all of the source code of my apps, I get a little concerned. I know I can buy VPS hosting for genuine security, but would anyone else expect a shared host to at least attempt some security or would they be happy to just have them give up and allow open slather? ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206971 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
well its the same problem at crystaltech, so there are your 2 biggest cfm hosts and before you say that your host wouldnt let that happen you better try it and see, you will be as suprised as I was! ~Dave the disruptor~ From: James Holmes [EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 10:33 PM To: CF-Talk cf-talk@houseoffusion.com Subject: RE: Shared CF Host security Since the host is HostMySite (Smarterlinux actually, but same deal) I would have expected more, but I'm inclined to agree with you. -Original Message- From: Joe Rinehart [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 10:28 To: CF-Talk Subject: Re: Shared CF Host security Wow, now that's a _really_ cheap host. I'd move on - your (or your client's) intellectual property in the code has to be worth the price increase! -Joe On 5/17/05, James Holmes wrote: Yes, that's my problem - everyone on the server can read the code so I'm screwed no matter what I do. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206972 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
you wanna try this on your host and see what happens? ~Dave the disruptor~ From: Rey Bango [EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 10:34 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security I guess I'm trying to understand how your host can be so sloppy. I don't recall ever being on a shared hosting environment that had that problem. Forget VPS, get yourself a new host. Rey.. James Holmes wrote: While security can never be perfect in a shared hosting environment, am I expecting too much to have at least a modicum of security on a shared server? For example, if others can access my datasources and do whatever they want to my database and they can read all of the source code of my apps, I get a little concerned. I know I can buy VPS hosting for genuine security, but would anyone else expect a shared host to at least attempt some security or would they be happy to just have them give up and allow open slather? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206973 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
Try what Dave? You have an example? I'd be glad to. Rey... dave wrote: you wanna try this on your host and see what happens? ~Dave the disruptor~ From: Rey Bango [EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 10:34 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security I guess I'm trying to understand how your host can be so sloppy. I don't recall ever being on a shared hosting environment that had that problem. Forget VPS, get yourself a new host. Rey.. James Holmes wrote: While security can never be perfect in a shared hosting environment, am I expecting too much to have at least a modicum of security on a shared server? For example, if others can access my datasources and do whatever they want to my database and they can read all of the source code of my apps, I get a little concerned. I know I can buy VPS hosting for genuine security, but would anyone else expect a shared host to at least attempt some security or would they be happy to just have them give up and allow open slather? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206975 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
sent off list ~Dave the disruptor~ From: Rey Bango [EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 10:51 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security Try what Dave? You have an example? I'd be glad to. Rey... dave wrote: you wanna try this on your host and see what happens? ~Dave the disruptor~ From: Rey Bango Sent: Tuesday, May 17, 2005 10:34 PM To: CF-Talk Subject: Re: Shared CF Host security I guess I'm trying to understand how your host can be so sloppy. I don't recall ever being on a shared hosting environment that had that problem. Forget VPS, get yourself a new host. Rey.. James Holmes wrote: While security can never be perfect in a shared hosting environment, am I expecting too much to have at least a modicum of security on a shared server? For example, if others can access my datasources and do whatever they want to my database and they can read all of the source code of my apps, I get a little concerned. I know I can buy VPS hosting for genuine security, but would anyone else expect a shared host to at least attempt some security or would they be happy to just have them give up and allow open slather? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206976 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
btw~ I was wrong on this thread and publicaly I would like to apologize to James for thinking he was being wacko :) But again, if my distruptor wouldnt have gone off this might have gotten passed over. Again, James I'm sorry I doubted you and will never do so again ;)~ ~Dave the disruptor~ ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206977 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
No need for apologies - I wouldn't have believed a host could be so lazy either. I am wrong occasionally, you know (just not this time :-) -Original Message- From: dave [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 11:04 To: CF-Talk Subject: Re: Shared CF Host security btw~ I was wrong on this thread and publicaly I would like to apologize to James for thinking he was being wacko :) But again, if my distruptor wouldnt have gone off this might have gotten passed over. Again, James I'm sorry I doubted you and will never do so again ;)~ ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206978 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
This should illustrate the point regarding HMS - _everyone_ who shared-hosts there is susceptible to the same problem. http://www.robrohan.com/blog/ http://www.robrohan.com/blog/index.cfm?mode=entryentry=EDCB81D8-C8F0-B5 37-1824A53C962059D3 (watch for any wrapping in the url) -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 10:51 To: CF-Talk Subject: Re: Shared CF Host security Try what Dave? You have an example? I'd be glad to. Rey... dave wrote: you wanna try this on your host and see what happens? ~Dave the disruptor~ From: Rey Bango [EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 10:34 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security I guess I'm trying to understand how your host can be so sloppy. I don't recall ever being on a shared hosting environment that had that problem. Forget VPS, get yourself a new host. Rey.. James Holmes wrote: While security can never be perfect in a shared hosting environment, am I expecting too much to have at least a modicum of security on a shared server? For example, if others can access my datasources and do whatever they want to my database and they can read all of the source code of my apps, I get a little concerned. I know I can buy VPS hosting for genuine security, but would anyone else expect a shared host to at least attempt some security or would they be happy to just have them give up and allow open slather? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206984 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Shared CF Host security
well and its also at crystaltech to, so if you are there don't think its not happening there because it is ~Dave the disruptor~ From: James Holmes [EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 12:30 AM To: CF-Talk cf-talk@houseoffusion.com Subject: RE: Shared CF Host security This should illustrate the point regarding HMS - _everyone_ who shared-hosts there is susceptible to the same problem. http://www.robrohan.com/blog/ http://www.robrohan.com/blog/index.cfm?mode=entryentry=EDCB81D8-C8F0-B5 37-1824A53C962059D3 (watch for any wrapping in the url) -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 10:51 To: CF-Talk Subject: Re: Shared CF Host security Try what Dave? You have an example? I'd be glad to. Rey... dave wrote: you wanna try this on your host and see what happens? ~Dave the disruptor~ From: Rey Bango Sent: Tuesday, May 17, 2005 10:34 PM To: CF-Talk Subject: Re: Shared CF Host security I guess I'm trying to understand how your host can be so sloppy. I don't recall ever being on a shared hosting environment that had that problem. Forget VPS, get yourself a new host. Rey.. James Holmes wrote: While security can never be perfect in a shared hosting environment, am I expecting too much to have at least a modicum of security on a shared server? For example, if others can access my datasources and do whatever they want to my database and they can read all of the source code of my apps, I get a little concerned. I know I can buy VPS hosting for genuine security, but would anyone else expect a shared host to at least attempt some security or would they be happy to just have them give up and allow open slather? ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206985 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Shared CF Host security
So what exactly is the security issue? Username/password set in the datasource? Full access to the file system? - Original Message - From: James Holmes [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, May 17, 2005 10:29 PM Subject: RE: Shared CF Host security This should illustrate the point regarding HMS - _everyone_ who shared-hosts there is susceptible to the same problem. http://www.robrohan.com/blog/ http://www.robrohan.com/blog/index.cfm?mode=entryentry=EDCB81D8-C8F0-B5 37-1824A53C962059D3 (watch for any wrapping in the url) -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 10:51 To: CF-Talk Subject: Re: Shared CF Host security Try what Dave? You have an example? I'd be glad to. Rey... dave wrote: you wanna try this on your host and see what happens? ~Dave the disruptor~ From: Rey Bango [EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 10:34 PM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Shared CF Host security I guess I'm trying to understand how your host can be so sloppy. I don't recall ever being on a shared hosting environment that had that problem. Forget VPS, get yourself a new host. Rey.. James Holmes wrote: While security can never be perfect in a shared hosting environment, am I expecting too much to have at least a modicum of security on a shared server? For example, if others can access my datasources and do whatever they want to my database and they can read all of the source code of my apps, I get a little concerned. I know I can buy VPS hosting for genuine security, but would anyone else expect a shared host to at least attempt some security or would they be happy to just have them give up and allow open slather? ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206986 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54