I know this has been covered before but has there been any solutions to
using CFObject in a shared host without creating a security hazard?
Cheers
-Original Message-
From: Ryan Kime [mailto:[EMAIL PROTECTED]
Sent: 03 September 2003 16:36
To: CF-Talk
Subject: RE: DWMX 2004 - Whats new for
VPS -
http://www.cfxhosting.com/Plans/s_cfxadvancedVPS.cfm
-Original Message-
From: Oliver Cookson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 03, 2003 11:40 AM
To: CF-Talk
Subject: CFObject in shared host? (Was: RE: DWMX 2004 - Whats new for
us? )
I know this has been covered before but has ther
Dan Phillips (CFXHosting.com) wrote:
> We let customers use it on our advanced plans. We are running sandbox
> security to prevent any "accidents" ;-)
How does Sandbox Security protect you from accidents with COM
objects like the FSO?
Jochem
~
1:50 AM
To: CF-Talk
Subject: Re: CFObject in shared host? (Was: RE: DWMX 2004 - Whats new
for us? )
Dan Phillips (CFXHosting.com) wrote:
> We let customers use it on our advanced plans. We are running sandbox
> security to prevent any "accidents" ;-)
How does Sandbox Security
hart: http://www.blinex.com/products/charting
--
> -Original Message-
> From: Oliver Cookson [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 03, 2003 11:40 AM
> To: CF-Talk
> Subject: CFObject in shared host? (Was: RE: DWMX
Whether cfobject is enabled or not doesn't affect the insecurity of a
CFMX installation for shared hosting. For example...
badThing = CreateObject("java", "a.BadThing");
// is the same as...
foo = "";
clazz = foo.getClass();
clazz = clazz.forName("a.badThi
Matt Liotta wrote:
> Whether cfobject is enabled or not doesn't affect the insecurity of a
> CFMX installation for shared hosting. For example...
>
>
> badThing = CreateObject("java", "a.BadThing");
> // is the same as...
> foo = "";
> clazz = foo.getClass();
> claz
you are not satisfied with my service, my job isn't done!
- Original Message -
From: "Matt Liotta" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Wednesday, September 03, 2003 11:12 AM
Subject: Re: CFObject in shared host? (Was: RE: DWMX 2
I have been able to successfully create a trojan that can be invoked
only using Java reflection such as below and easily installed into a
CFMX instance.
-Matt
On Wednesday, September 3, 2003, at 12:35 PM, Jochem van Dieten wrote:
> Matt Liotta wrote:
>> Whether cfobject is enabled or not doesn
TECTED]>
Date: Wednesday, September 3, 2003 10:40 am
Subject: Re: CFObject in shared host? (Was: RE: DWMX 2004 - Whats new for us? )
> Probably correct, but any shared hosting provider would probably
> immediatelyclose your account upon the appearance of code such as
> that - All of them d
Matt Liotta wrote:
> I have been able to successfully create a trojan that can be invoked
> only using Java reflection such as below and easily installed into a
> CFMX instance.
You mean as in uploaded a .jar and added it to the class path
etc? Wouldn't that require write permissions to the JVM
CFMX is more than happy to give you permission to change the classpath
it uses.
Matt Liotta
President & CEO
Montara Software, Inc.
http://www.MontaraSoftware.com
(888) 408-0900 x901
~|
Archives: http://www.houseoffusion.com/lis
[EMAIL PROTECTED] wrote:
> An unscrupulous person could easily reformat a server's hard drive, kill databases,
> plant viruses, and do all sorts of nasty things way before anybody at the hosting
> company would even have a clue about what's going on.
Not unless you are running CF as root/system
Matt Liotta wrote:
> CFMX is more than happy to give you permission to change the classpath
> it uses.
That is not my experience. If the CF MX base directory is
configured to be read-only, CF MX will not write there. But with
the current bug in the way sandboxes are inherited to lower
director
If you remove CFMX's ability to change the classpath then you would
also remove my ability to change it. However, that is not the general
configuration used by hosting companies.
Matt Liotta
President & CEO
Montara Software, Inc.
http://www.MontaraSoftware.com
(888) 408-0900 x901
~
lk" <[EMAIL PROTECTED]>
Sent: Wednesday, September 03, 2003 11:53 AM
Subject: Re: CFObject in shared host? (Was: RE: DWMX 2004 - Whats new for us? )
| An unscrupulous person could easily reformat a server's hard drive, kill
databases, plant viruses, and do all sorts of nasty thi
File system access is not required for there to be a vulnerability. You can
do things like grab sessions from other applications running on the same
server and modify the sessions. Anyone running an e-commerce app on a
shared host and using session variables is suceptible to tampering by
someone
17 matches
Mail list logo
