I agree that there should be a demand - CF in a shared environment is a
risky proposition, even with sandboxing. Anyone with moderate security needs
would have to consider a VPS solution.
-Original Message-
From: Jordan Michaels [mailto:[EMAIL PROTECTED]
Sent: Saturday, 23 April 2005 4:0
Connie DeCinko wrote:
> Right, but... What if you chose a common name and someone on the same
> server does the same. Also, what if you need to test different versions of
> the same application on the same server? Shouldn't sandboxing protect you
> from that?
Sandboxes in CF 5 used to have that
http://blogs.msdn.com/ie/archive/2005/04/22/410963.aspx
I am very excited about the CSS fixes. I just hope IE7 will be
available for Win2K too.
Jochem
~|
Logware (www.logware.us): a new and convenient web-based time tracking
a
I can't seem to get cfx_getimage to work if I am using a JDBC datasource. Does
anyone know of another other custom tags that will let me display an image that
is stored in a SQL Server database as type 'image'? I've found cfx_open image
and cfx_image, but the documentation is extremely minimal (
I was playing around with the tab navigator today. You need to give your
tab formgroup an "id" attribute and you can then use
myTabID.selectedIndex. The first tab has an index of 0.
Try the Flex/Flash documentation. The tab component is based on a Flex.
http://livedocs.macromedia.com/flex/15/a
We run a paid subscription service for students to help them pass their state
and national boards. We've found that some subscribers are passing around their
login info and getting into our site for free. I've tried to do an IP
comparison when two users login with the same login. This is not ide
> >>it uses java.
> and Java uses?
To zip and unzip files? Java uses the operating system if that's what
you're referring to - it doesn't need WinZip or PKZip that I'm aware
of... ZIP is a format (open source? ... at least, I'm not aware anyone
claims copyright on the format)... So java.uti
In Oracle we just query a BLOB and write it to a temporary file for display
with cfcontent - can you not do the same in SQL server?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Saturday, 23 April 2005 9:04
To: CF-Talk
Subject: cfx_getimage
I can't seem to g
>>To zip and unzip files? Java uses the operating system if that's what
>>you're referring to
Exact; what I mean is that all those Zip facilities use about the same zip
library of tools.
If this library does not include empty directories in the zipped file, no
matter you go through
PKZip, winZ
> From: [EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> We run a paid subscription service for students to help them
> pass their state and national boards. We've found that some
> subscribers are passing around their login info and getting
> into our site for free. I've tried t
Don't blame your bad coding practices on CrystalTech. Of course two
different applications with the same name are likely to cause conflict
on a server...any server...even one that you own and have total
control over, if you name two applications the same thing you will run
into this.
Pete
~~
Hashing your app name isn't going to protect you from others on a shared server
from looking in on you:
That code can be run by anyone on the server and you'll see the application
name and the dump of ALL the sessions for that app.
Interesting, wasn't aware of that.
Is there any way to guard against that kind of exploit, other than
encrypting everything in application and session scope, which would be very
inefficient and annoying?
Dave Merrill
> Hashing your app name isn't going to protect you from others on a
> shared s
Dave Merrill wrote:
> Interesting, wasn't aware of that.
>
> Is there any way to guard against that kind of exploit, other than
> encrypting everything in application and session scope, which would be very
> inefficient and annoying?
Disabling createObject() and cfobject for Java objects in the
Pete Ruckelshaus wrote:
> Don't blame your bad coding practices on CrystalTech.
Where am I using bad coding practices? Where do I blame them on
CrystalTech?
Jochem
~|
Find out how CFTicket can increase your company's customer s
On 4/23/05, Peter Farrell <[EMAIL PROTECTED]> wrote:
> Hashing your app name isn't going to protect you from others on a shared
> server from looking in on you:
>
>
> createObject("java","coldfusion.runtime.ApplicationScopeTracker")>
But sandbox security can turn that off...
--
Sean A Corfiel
I did in the past implement something like you said about putting a flag in the
DB whenever a user logs in and not allowing further logins unless there is
first a log off. The problems that came up was that quite a few people were on
dial up and when they lost the connection and logged in again
> -Original Message-
> From: Peter Farrell [mailto:[EMAIL PROTECTED]
> Sent: Saturday, April 23, 2005 12:33 PM
> To: CF-Talk
> Subject: RE: CrystalTech Users Beware
>
> Hashing your app name isn't going to protect you from others on a shared
> server from looking in on you:
It not hashing
Sorry - I didn't look at the attached code well enough (I just got up, yeah,
I know it's one o'clock). ;^)
You're right - if the server allows access to the core Java Components this
will work.
Jim Davis
> -Original Message-
> From: Jim Davis [mailto:[EMAIL PROTECTED]
> Sent: Saturday,
> -Original Message-
> From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
> Sent: Saturday, April 23, 2005 1:05 PM
> To: CF-Talk
> Subject: Re: CrystalTech Users Beware
>
> Pete Ruckelshaus wrote:
> > Don't blame your bad coding practices on CrystalTech.
>
> Where am I using bad coding pra
How about logging the user out before they login?
It won't stop them sharing and using the system at different times, but if
one is logged in and then suddenly gets logged out they make think twice
about letting this other user use their login details.
Ade
-Original Message-
From: [EMAIL
On 4/23/05, Jim Davis <[EMAIL PROTECTED]> wrote:
> Using a hash of the directory ensures to a great degree of certainty that
> the name won't be accidentally used again. Adding the salt attempts to
> ensure that nobody could guess the name easily just by knowing your
> application path.
To be hon
> -Original Message-
> From: Sean Corfield [mailto:[EMAIL PROTECTED]
> Sent: Saturday, April 23, 2005 1:34 PM
> To: CF-Talk
> Subject: Re: CrystalTech Users Beware
>
> On 4/23/05, Jim Davis <[EMAIL PROTECTED]> wrote:
> > Using a hash of the directory ensures to a great degree of certainty
Thanks Bryan, that helps... not that it's really any of my business anyway.
It's just that once in a while someone says something that makes me
cringe... your post about application vars was one of them. There are
so many misperceptions or even just situations where someone says
things about "CF"
> Thanks Bryan, that helps... not that it's really any of my business
> anyway.
hehe...no worries..reminds me of another misconception I had based on
something long ago. I think it was Barney B. that set me straight that CF
is not case sensitive (like say Oracle). I had all these kinds of co
> > Hashing your app name isn't going to protect you from
> > others on a shared server from looking in on you:
> >
> >
> > > createObject("java","coldfusion.runtime.ApplicationScopeTracker")>
>
> But sandbox security can turn that off...
Well, yes, assuming that CFML code is your only route
On 4/23/05, Jim Davis <[EMAIL PROTECTED]> wrote:
> Exactly as I've said before. You should expect compromise when sharing -
> it's just that simple.
Yes.
> Saying "get a dedicated server" is all well and good but a lot of people
> don't have the money. So what can you do with your $20 a month?
How about checking for concurrent logins? Seems to me that more often than
not, if people are sharing passwords at some point they will be logged on at
the same time. Then disable that account for abuse.
-Original Message-
From: [EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:[EMAIL PROTEC
No, even so, that is a major bug in ColdFusion and or sandboxing, or at
least a problem with the configuration. This means that someone could
maliciously decide to hijack my site just because they are on the same box
and guessed my application name. Security should be #1 at any hosting price
leve
> -Original Message-
> From: Connie DeCinko [mailto:[EMAIL PROTECTED]
> Sent: Saturday, April 23, 2005 2:12 PM
> To: CF-Talk
> Subject: RE: CrystalTech Users Beware
>
> No, even so, that is a major bug in ColdFusion and or sandboxing, or at
> least a problem with the configuration. This m
> -Original Message-
> From: Connie DeCinko [mailto:[EMAIL PROTECTED]
> Sent: Saturday, April 23, 2005 2:08 PM
> To: CF-Talk
> Subject: RE: login issues
>
> How about checking for concurrent logins? Seems to me that more often
> than
> not, if people are sharing passwords at some point th
I know it's been asked but I can't find it in the archives or stored on
my machine.
How do I use the syntax
"http://somewhere.com/mydir/myfile.cfm?#SESSION.AddToken#"; and combine
it with a page jump #pageLocation ?
I've tried putting it different places in the URL and can't get it to
work.
Than
On 4/23/05, Connie DeCinko <[EMAIL PROTECTED]> wrote:
> No, even so, that is a major bug in ColdFusion and or sandboxing, or at
> least a problem with the configuration.
No, it's a feature of the underlying Java servlet platform. Go read
the docs about how the underlying context works and you'll s
On 4/23/05, Jim Davis <[EMAIL PROTECTED]> wrote:
> "Security" and "Cheap" just don't go together. That being said CrytalTech,
> HostMySite and many other CF host still provide good (but nowhere near
> perfect) security configurations on their shared servers.
I think that the key phrase here is "Y
If I'm understanding your question, ## evaluates as #, and #pageLocation
should be part of the url itself, not the query string. Is one of those what
you're running into?
So, I think this should work (can't test it right now):
http://somewhere.com/mydir/myfile.cfm##pageLocation?#SESSION.AddToken#
As someone who hosts with Crystaltech and has never had any problems,
I think it's also important to point out that the problem being
discussed here is not Crystaltech's "fault", this will affect every
single person who uses a shared server, regardless of who hosts it.
On 4/23/05, Cameron Childres
Connie DeCinko wrote:
> No, even so, that is a major bug in ColdFusion and or sandboxing, or at
> least a problem with the configuration. This means that someone could
> maliciously decide to hijack my site just because they are on the same box
> and guessed my application name.
It is documented
It's not exactly true that "all sorts of code other than CF" have these
sorts of problems in shared hosting environments. ASP.NET, for example,
isolates every application from all the others just to avoid these problems.
If you're running BlueDragon.NET, then your CFML inherits this application
iso
> -Original Message-
> From: Vince Bonfanti [mailto:[EMAIL PROTECTED]
> Sent: Saturday, April 23, 2005 5:29 PM
> To: CF-Talk
> Subject: RE: CrystalTech Users Beware
>
> It's not exactly true that "all sorts of code other than CF" have these
> sorts of problems in shared hosting environment
I dont know if I would use social security #, I mean mine is 555-12- or was
it 123-45-6789 or maybe 999-99-, you can't really validate its
"correctness" besides the syntax.
Maybe use their cc # or checking account # as their username (securely of
course) because they cant fake that and
> From: dave [mailto:[EMAIL PROTECTED]
> Maybe use their cc # or checking account # as their username
> (securely of course) because they cant fake that and it's
> highly doubtful they will pass that # around to their friends.
You can fake it. I can generate you any valid credit card number yo
right, I shoulda added that, I was assuming the user had a previously bought
access to the site via cc or checking account #, in which case that number
would become their username. Or an addition way would to use a regular username
and password and also store their signup IP and compare it at lo
> From: dave [mailto:[EMAIL PROTECTED]
> right, I shoulda added that, I was assuming the user had a
> previously bought access to the site via cc or checking
> account #, in which case that number would become their
> username. Or an addition way would to use a regular username
> and password
lol, i know huh!
Or you can just take the stand of just letting them share because those ppl
probably woulnt pay anyways but someone they show might and then you at least
get a sale that you wouldn't have before, may sound dumb but what can you do.
From
> No, even so, that is a major bug in ColdFusion and or
> sandboxing, or at least a problem with the configuration.
> This means that someone could maliciously decide to hijack my
> site just because they are on the same box and guessed my
> application name. Security should be #1 at any host
> On 4/23/05, Cameron Childress <[EMAIL PROTECTED]> wrote:
> > I think that the key phrase here is "You get what you pay for,
On 4/23/05, Brian Kotek <[EMAIL PROTECTED]> wrote:
> As someone who hosts with Crystaltech and has never had any problems,
> I think it's also important to point out that t
I think that some people on the list are blowing this issue out of
proportion as a "bug" when it's really just expected behavior (and
always has been) for ColdFusion. However, I don't think it would be a
bad idea for Macromedia to examine this and other security issues for
adjustment in future ver
" However, I don't think it would be a
bad idea for Macromedia to examine this and other security issues for
adjustment in future versions of ColdFusion."
Umm, I don't think Macromedia will be releasing anymore versions of
ColdFusion
Fr
On 4/23/05, dave <[EMAIL PROTECTED]> wrote:
> Umm, I don't think Macromedia will be releasing anymore versions of
> ColdFusion
Zzz
-Cameron
--
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]
I'm needing a little help in understanding Apache's configuration
please. I want to set up my various sites on my pcs as virtual hosts
in apache, but not sure
My directory structure is as follows:
c:/sites
c:/sites/intranet
c:/sites/clientsite1
c:/sites/clientsite2
etc
and I understood I co
Anyone been able to get mailbox info such as the size from an Exchange
server using a CFSCRIPT or other way?
-R
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and docu
Try SeiberSpace Technologies, LLC low-end but lots of personal service.
CF MX 6.1, MSSQL, MySQL, and Access.
http://www.seiberspace.net
-Original Message-
From: E C list [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 10, 2005 11:53 AM
To: CF-Talk
Subject: RE: low-end web hosting?
I al
I run a pile of sites on subdirectories off a main site with a single IP. When
the browser hits the main page of the IP it masks the url and then pulls the
page in the subdirectory.
www.thesite.com/dd/ (one domain)
www.thesite.com/rw/ (another domain)
etc.
I need a cold fusion log file analyz
Hi,
> but i'm not sure what i should put in my http.conf file.
Your http.conf file looks good. Do you have a DNS or hosts file entry
for clientsite1?
I take it you're running your browser and apache on the same PC? In
which case you should add the following line to the hosts file on the PC.
127
Thanks Chris, I'd forgotten about the hosts file. But when I changed
it, all those urls led to the same place - to the root c:\sites.
Does that mean I have to change hosts to the following (in which case
I'm wondering why bother - its as much work as typing the whole url as
i've always had to do
55 matches
Mail list logo
