Wow. Lots going on for me. Just catching up on some talk.
I LOVE what has been done with Server 2003. MS is finaly taking a
better approach, and getting away from the default unsecure idea.
To be fair, most linux distros were pretty bad, out of the box, themselves.
But, they at least tend to
, 09 May 2006 17:06
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
Maybe the problem is that you're talking to Microsoft fans, whoever
they are. Most users of Windows, or almost any other product for that
matter, aren't fans - they may be satisfied customers, but they're
On Wed, May 10, 2006 at 10:39 AM, in message
[EMAIL PROTECTED], [EMAIL PROTECTED] wrote:
Well given the choice between using an MS product that is not very good, or
finding a spare computer, installing linux, learning how to to use Linux,
installing the better product, learning how to use
On 10/05/06, Tom Chiverton [EMAIL PROTECTED] wrote:
On Wed, May 10, 2006 at 10:39 AM, in message
[EMAIL PROTECTED], [EMAIL PROTECTED] wrote:
Well given the choice between using an MS product that is not very good, or
finding a spare computer, installing linux, learning how to to use Linux,
2006 12:02
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
On Wed, May 10, 2006 at 10:39 AM, in message
[EMAIL PROTECTED], [EMAIL PROTECTED] wrote:
Well given the choice between using an MS product that is not very
good, or finding a spare computer, installing linux, learning how
That's kinda like UNIX/Linux fans who will use Unix based
stuff no matter
how much of a PIA it is, right?
My post previous to the one you replied to stated this point exactly.
There are fanatical users in every camp. I was just responding to an
accusation that there are only Linux fanatics,
The more Corporate America starts to switch to Linux, the
more holes you'll
see. The more people use Oracle or DB2, the more holes you'll
see. Dam, look
at the fixes in the last 3 months from firefox and their at
only 10% of the
market share vs, 75.1% per Omniture.
I agree, but my beef
-
From: Munson, Jacob [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 10, 2006 8:39 AM
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
That's kinda like UNIX/Linux fans who will use Unix based stuff no
matter how much of a PIA it is, right?
My post previous to the one you
@houseoffusion.com
To
CF-Talk cf-talk@houseoffusion.com
cc
Subject
RE: Big SQL security hole at Crystaltech?
Jacob,
That was me, and I did not use the word fanatic. I was responding to
someone who declared themselves a linux snob. I was only speaking from
personal experience. There are 6 developers
Hi Mark,
I am that self professed 'Linux Snob', and the reason I'm saying that is
to show that I am generally one of the people that you are trying to
describe. However, like you and your friends, I do use Windows for some
things, like the desktop (but not Office, except at work). And like you
Nothing anymore
-Original Message-
From: Terry L Schmitt [mailto:[EMAIL PROTECTED]
Sent: 10 May 2006 15:48
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
So what's this got to do with CrystalTech and SQL Server
00:09
To: CF-Talk
Subject: Re: Big SQL security hole at Crystaltech?
1) Going with the default is no excuse for an ISP when it comes to
security (if that's what has happend)
2) If a client puts their user/pass in the DSN, it's their own damn
faultnot the ISP! (of course you'd still need
of my databases on any SQL server has a default guest user on
them.
Snake
-Original Message-
From: Joel [mailto:[EMAIL PROTECTED]
Sent: 09 May 2006 00:54
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
Hi Guys,
The script you are after is
http://support.microsoft.com/kb
Holmes [mailto:[EMAIL PROTECTED]
Sent: 09 May 2006 02:13
To: CF-Talk
Subject: Re: Big SQL security hole at Crystaltech?
With sandboxing and no cfobject (java) tag, this can be done with reasonable
safety.
On 5/9/06, Bryan Stevenson [EMAIL PROTECTED] wrote:
Especially as a lot of clients put
I hate to chime in kind of OT, but these and other reasons are why I
host on Linux with MySQL. I feel a lot safer, and my host doesn't have
to run any unsafe scripts to turn off bad default options.
But I understand that most people are more familiar with Windows and
such, and that's why they
The good thing about CF is that as a J2EE app, code works (for the
most part) on Linux and on Windows. The bad thing about this
portability is that the same security holes are just as portable; a CF
server with JSP enabled and no sandboxing is as bad on Windows as on
Linux. The DB may be less of a
The good thing about CF is that as a J2EE app, code works (for the
most part) on Linux and on Windows. The bad thing about this
portability is that the same security holes are just as portable; a CF
server with JSP enabled and no sandboxing is as bad on Windows as on
Linux. The DB may be less
Munson, Jacob said:
I hate to chime in kind of OT, but these and other reasons are why I
host on Linux with MySQL. I feel a lot safer, and my host doesn't
have to run any unsafe scripts to turn off bad default options.
MySQL makes you feel safer?
quote
On all platforms, an important
Cozz were not mad enough to want to learn how to use Linux :-)
-Original Message-
From: Munson, Jacob [mailto:[EMAIL PROTECTED]
Sent: 09 May 2006 15:27
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
The good thing about CF is that as a J2EE app, code works
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
The good thing about CF is that as a J2EE app, code works (for the
most part) on Linux and on Windows. The bad thing about this
portability is that the same security holes are just as portable; a CF
server with JSP enabled
I really am perplexed as to why the majority of CF users use
Windows/MSSQL (at least from what I've seen). You'd think
with such a strong affinity for MS products, they'd be using
ASP.Net as well, but that's not the case. I know, I know, CF
is a LOT better than ASP.Net, but I could say
I hate to chime in kind of OT, but these and other reasons
are why I host on Linux with MySQL. I feel a lot safer, and
my host doesn't have to run any unsafe scripts to turn off
bad default options.
Feeling a lot safer is not a good justification for choosing a platform.
You should know
its usually not hard to guess someones DSN, its usually the sitename or
somehting similar,
Snake
Againthat's the fault of the person picking the name...not the ISPnot a
reason for an ISP to be lazy
Bryan Stevenson B.Comm.
VP Director of E-Commerce Development
Electric Edge Systems
What I have seen happen a lot is people switch to Linux because they hate
windows. Everything is up and running fine for them but they do not invest
the proper time to learn how to maintain the box to keep aware of security
patches. Now you have an OS with multiple services from multiple
What I have seen happen a lot is people switch to Linux
because they hate
windows. Everything is up and running fine for them but they
do not invest
the proper time to learn how to maintain the box to keep
aware of security
patches. Now you have an OS with multiple services from
As for saying Oracle/DB2/MySQL are a lot better than MS SQL Server, not so
much. SQL Server is far, far easier to configure, manage and maintain than
Oracle and DB2, and has tons of functionality; MySQL is just catching up.
Overall, for many CF developers, MS SQL Server is arguably the best
Couldn't have said it better :-)
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: 09 May 2006 16:09
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
I really am perplexed as to why the majority of CF users use
Windows/MSSQL (at least from what I've
When I started with web stuff we ran linux for our mail server and NT for
our CF server and this was back in 1996 or so. We stayed with Linux for
many years and eventually went to FBSD which still have one FBSD box up and
running for email/dns needs. Learned the hard way how to secure linux
Another aspect of this is that in Windows it's notoriously difficult
to run as anything other than an Administrator and have anything work.
In Linux/UNIX, operating as root is seldom necessary.
On 5/9/06, Munson, Jacob [EMAIL PROTECTED] wrote:
What I have seen happen a lot is people switch to
I didn't say it was.
-Original Message-
From: Bryan Stevenson [mailto:[EMAIL PROTECTED]
Sent: 09 May 2006 16:14
To: CF-Talk
Subject: Re: Big SQL security hole at Crystaltech?
its usually not hard to guess someones DSN, its usually the sitename
or somehting similar,
Snake
Again
Admitedly it has been awhile since I have installed a Linux box, I switched
to FBSD years ago and stuck with that choice. Even with FBSD though and I
am sure it is true with most xNIX distributions is it boils down to what the
sysadmin decides to install and a lot of times someone who does not
I didn't say it was.
Sorryfelt like you were saying shared hosting was insecure because DSNs
could be guessed ;-)
flippin e-mail! ;-)
Cheers
Bryan Stevenson B.Comm.
VP Director of E-Commerce Development
Electric Edge Systems Group Inc.
phone: 250.480.0642
fax: 250.480.1264
cell:
Ditto here...
-Original Message-
From: Bryan Stevenson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 09, 2006 10:22 AM
To: CF-Talk
Subject: Re: Big SQL security hole at Crystaltech?
As for saying Oracle/DB2/MySQL are a lot better than MS SQL Server,
not so much. SQL Server is far
That's just not true
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 09, 2006 10:27 AM
To: CF-Talk
Subject: Re: Big SQL security hole at Crystaltech?
Another aspect of this is that in Windows it's notoriously difficult to run
as anything other
:[EMAIL PROTECTED]
Sent: 09 May 2006 16:27
To: CF-Talk
Subject: Re: Big SQL security hole at Crystaltech?
Another aspect of this is that in Windows it's notoriously difficult to run
as anything other than an Administrator and have anything work.
In Linux/UNIX, operating as root is seldom necessary
What I have seen happen a lot is people switch to Linux because they hate
windows. Everything is up and running fine for them but they do not invest
the proper time to learn how to maintain the box to keep aware of security
patches. Now you have an OS with multiple services from multiple open
PROTECTED]
Sent: 09 May 2006 16:38
To: CF-Talk
Subject: Re: Big SQL security hole at Crystaltech?
I didn't say it was.
Sorryfelt like you were saying shared hosting was insecure because DSNs
could be guessed ;-)
flippin e-mail! ;-)
Cheers
Bryan Stevenson B.Comm.
VP Director of E-Commerce
Really?
I have no problems at all logging in with non administrator
accounts and
managing the servers, its not difficult at all.
And the service son the server do not run under
administrator, they run
under the SYSTEM acocunt by default.
Oh cool! So if I remotely take over a SQL Server,
SYSTEM is a member of the Administrators group.
-Original Message-
From: Snake
Sent: Tuesday, May 09, 2006 11:49 AM
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
Really?
I have no problems at all logging in with non administrator accounts and
managing the servers, its
I think you are correct for /some/ Linux distributions (like
Mandriva), but this is not the case for the majority of them.
The biggest security difference between Windows and Linux is
that Linux forces the sysadmin to turn on services as he
needs them. Windows 2000 and earlier assumed
-Talk
Subject: RE: Big SQL security hole at Crystaltech?
SYSTEM is a member of the Administrators group.
~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239957
Archives: http://www.houseoffusion.com/cf_lists
If that I show it has been setup then yes. Altho the SYETEM acocunt is not
an administrator.
-Original Message-
From: Munson, Jacob [mailto:[EMAIL PROTECTED]
Sent: 09 May 2006 16:56
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
Really?
I have no problems at all
at Crystaltech?
SYSTEM is a member of the Administrators group.
-Original Message-
From: Snake
Sent: Tuesday, May 09, 2006 11:49 AM
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
Really?
I have no problems at all logging in with non administrator accounts and
managing
I think that has a lot to do for when each database was introduced to the
market. Oracle's SQL Developer is not a bad little tool though.
On 5/9/06, Bryan Stevenson [EMAIL PROTECTED] wrote:
Yep...Oracle is highly overrated in my booksuse it all the time for
govt
workwould far
Oracle just released a free admin tool similar to Toad, by the way.
Can't remember what it's called though.
-Original Message-
From: Bryan Stevenson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 09, 2006 10:29 AM
patches out lately. SQL Server is pretty easy to secure, actually.
Oracle just released a free admin tool similar to Toad, by the way.
Can't remember what it's called though.
Oracle SQL Developer
Bryan Stevenson B.Comm.
VP Director of E-Commerce Development
Electric Edge Systems Group Inc.
phone: 250.480.0642
fax: 250.480.1264
cell: 250.920.8830
e-mail:
Conclusion: server administration requires knowledgeable system
administrators.
Agreed.
Not really. Windows was designed as a desktop operating
system, at a time
when most networks didn't extend outside the building. I suspect that
Netware 3.x had lots of vulnerabilities too, if anyone
Well, Win2k had a lot of services on by default. There were
a lot of small companies that bought a Win2k machine, and got
attacked by that huge virus that took down the Windows world
back then. They didn't know that their basic network server
was also serving up a default website, and
I'm a Linux snob, and I'll admit it. While I use Windows for my
desktop, I have good reasons for liking Linux on the server, and you
guys have good reasons for liking Windows, and I don't think anything is
ever going to change our opinions. :)
-
This transmission may contain
Dunno what your using then, as it's not on any of my servers.
-Original Message-
From: Plunkett, Matthew [mailto:[EMAIL PROTECTED]
Sent: 09 May 2006 17:22
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
SYSTEM is a member of the Administrators group.
-Original
I'm a Linux snob, and I'll admit it. While I use Windows for
my desktop, I have good reasons for liking Linux on the
server, and you guys have good reasons for liking Windows,
and I don't think anything is ever going to change our opinions.
This has nothing to do with likes or dislikes,
Use a commodore64 ?
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: 09 May 2006 21:12
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
I'm a Linux snob, and I'll admit it. While I use Windows for my
desktop, I have good reasons for liking Linux
In this case snobbery is a one way street. Like most IT folks who most often
use Windows servers, we also have a number Linux or 'nix based servers. I
like them. I put them to good use and I have good things to say about them.
But that sort of practical charity is not usually reciprocated from the
Dave Watts wrote:
Another aspect of this is that in Windows it's notoriously
difficult to run as anything other than an Administrator and
have anything work. In Linux/UNIX, operating as root is seldom
necessary.
This isn't really accurate. It's quite easy to run almost all services
In this case snobbery is a one way street. Like most IT folks
who most often
use Windows servers, we also have a number Linux or 'nix
based servers. I
like them. I put them to good use and I have good things to
say about them.
But that sort of practical charity is not usually
I'd agree that most Linux guys avoid Windows for server
stuff, and some even for desktop stuff. But I'd have to
disagree that it's a one way street. Almost all of the
Microsoft fans I know are strict Microsoft users. There are
exceptions (like you and a couple of guys I know), but like
Anything that uses Windows Authentication requires additional
privileges to impersonate users. Like IIS: it may change its
credentials to some other user, but the initial parsing of
the request line is done under highly privileged account.
Yes, that's absolutely correct of course. In a
Maybe the problem is that you're talking to Microsoft fans,
whoever they
are. Most users of Windows, or almost any other product for
that matter,
aren't fans - they may be satisfied customers, but they're
not fanatic about
their choices.
Microsoft fans is just my personal term for
security hole at Crystaltech?
Maybe the problem is that you're talking to Microsoft fans, whoever
they are. Most users of Windows, or almost any other product for that
matter, aren't fans - they may be satisfied customers, but they're not
fanatic about their choices.
Microsoft fans is just
Well, when Novell creates Novell Flight Simulator, I'll drop Windows.
But, I aint no fanatic!
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 09, 2006 4:48 PM
To: CF-Talk
Subject: RE: Big SQL security hole at Crystaltech?
I'd agree that most Linux guys
I work in a rather big cube farm and the hall next to mine is full of a
bunch of diehard linux people. The company is switching to windows for
their software package due to numerous requests from the clients. That
switch is causing a lot of those guys to look for new jobs because they are
just
I love Linux, Build Studio MX 2040 on Linux and I'd switch.
As for the MS SQL database stuff. No, you shouldn't be able to see the
tables. Yes you will most likely see the databases if you use MS Studio
Express.
Of course being from a Microsoft site, you must take this with a grain of
salt but
After signing onto a new client's SQL Server account, first on one dedicated
server and then another, I found I could not only see several other databases
belonging to other customers... I could click on the Tables tab and see all of
their tables. Taking it a step further, I could double-click
We've had this conversation on this list before, and yes what you saw is
true. If I remember right, it's a weakness of SQL Server, not
CrystalTech. Well, except for the fact that Crystaltech allows remote
connections using EM (a lot of hosts don't allow this). I also think
someone posted a
Yikes! This is true for my accounts also.
Let us know what happens.
Matt Robertson wrote:
After signing onto a new client's SQL Server account, first on one dedicated
server and then another, I found I could not only see several other databases
belonging to other customers... I could click
Yes this can be solved (don't ask me how though).and yes that is a pretty
SERIOUS screw-up on their part.
The ISP I use does show you all other DBs on the shared server, but you cannot
connect to any of themso no seeing the tables and so on...just DB
namesso it is doable.
Cheers
We've had this conversation on this list before, and yes what
you saw is true. If I remember right, it's a weakness of SQL
Server, not CrystalTech. Well, except for the fact that
Crystaltech allows remote connections using EM (a lot of
hosts don't allow this). I also think someone
I have a client who uses Intermedia.net, and that is the way it works for
them. You can see the other databases in the EM, but can't access the
objects.
I don't think this is entirely correct. You should be able to see a list of
other databases by default, but you should not be able to see
Dave Watts wrote:
This would require that their DBA revoke the public group
role throughout the server, if I recall correctly.
When it comes to MSSQL and EM I am strictly a user. Don't know much about the
server's care and feeding. With that out of the way:
Are there any sort of consequences
to change
this behaviour, but CT obviously don't know about that, and it has been
known to cause other issues if you do it anyway.
--
Snake
-Original Message-
From: Matt Robertson [mailto:[EMAIL PROTECTED]
Sent: 08 May 2006 17:58
To: CF-Talk
Subject: Big SQL security hole at Crystaltech?
After
When it comes to MSSQL and EM I am strictly a user. Don't
know much about the server's care and feeding. With that out
of the way:
Are there any sort of consequences to doing this that might
make them not want to perform that action? I certainly don't
miss not having this
to unsecure tags without a security sandbox
No CreateObject (java)
You get what you pay for at the end of the day.
--
Russ
-Original Message-
From: Bryan Stevenson [mailto:[EMAIL PROTECTED]
Sent: 08 May 2006 18:14
To: CF-Talk
Subject: Re: Big SQL security hole at Crystaltech?
Yes this can
Matt Robertson wrote:
Before I completely blow a gasket I wanted to confirm this is as big of a
screwup as I think it is. There is an easy fix for this right?
The fix should be under REVOKE in the manual.
Jochem
~|
Dave Watts wrote:
that's
probably not the worst thing going on in a shared hosting environment.
Agreed. Luckily these are both dedicated servers. Only the SQL server
component is shared. I was already lobbying for a dedicated box with MSDE/SQL
Express running on it.
Robertson [mailto:[EMAIL PROTECTED]
Sent: 08 May 2006 17:58
To: CF-Talk
Subject: Big SQL security hole at Crystaltech?
After signing onto a new client's SQL Server account, first on one dedicated
server and then another, I found I could not only see several other
databases belonging
I think this occurs when databases have a user with the name of guest.
Databases without a user named guest should not have their objects or
even their database names exposed. If you have a user in your database
named guest, delete that user and your database should not be visible
to others thru
Message-
From: Matt Robertson [mailto:[EMAIL PROTECTED]
Sent: 08 May 2006 17:58
To: CF-Talk
Subject: Big SQL security hole at Crystaltech?
After signing onto a new client's SQL Server account, first on one
dedicated server and then another, I found I could not only see
several other
: Big SQL security hole at Crystaltech?
I think this occurs when databases have a user with the name of guest.
Databases without a user named guest should not have their objects or even
their database names exposed. If you have a user in your database named
guest, delete that user and your database
Well as I have all our servers locked down I can't actually check to see how
far you can get with the default configuration.
I know you can see everyone elses databases, and I'm sure you can also open
the database and view the tables.
Just because you cannot do this at CFD, does not mean it
Subject: RE: Big SQL security hole at Crystaltech?
It is nothing to do with guest user, databases do not have this by default,
as stated, this is the known default behaviour of SQL server and EM and
Microsoft released a stored proc to update themaster table to stop users
seeing others users DB's. You can
With sandboxing and no cfobject (java) tag, this can be done with
reasonable safety.
On 5/9/06, Bryan Stevenson [EMAIL PROTECTED] wrote:
Especially as a lot of clients put their username/passwor dinto the
DSN , which means everyone else on the server can get into their database
anyway
81 matches
Mail list logo
