>At the moment, if you use GetPageContext().include() on a JSP on my
>SmarterLinux server you get a null pointer exception.
>
>Regardless, 2 is the case and the code will run in the CF security
>context of the calling page. The CF sandboxing takes over in this case.
>Anyone can verify this on their
dev server (as I have just done).
Since the server is sandboxed this is perfectly acceptable.
-Original Message-
From: Jamie Price [mailto:[EMAIL PROTECTED]
Sent: Saturday, 4 June 2005 3:11
To: CF-Talk
Subject: RE: Shared CF Host security
>> "We actually run two J2EE environm
>> "We actually run two J2EE environments - JRun and Resin.
>> While JRun does handle the Java processing for ColdFusion,
>> Resin handles the requests for JSP pages and servlets.
>
>What happens if you use getPageContext.include() from within a CFML page to
>invoke a JSP page directly?
>
Good
Ok somehow I doubled the thread and made two. Sorry!
> > I thought I posted this the other day, but it didn't update for some
> reason. Here it is again:
>
~|
Logware (www.logware.us): a new and convenient web-based time tra
Jochem,
Can you email me offlist with what you're interested in? [EMAIL PROTECTED]
Thanks!
>
> > So, security in a shared hosting environment isn't exactly a myth,
> it just takes a little more work and flexibility. If anyone needs a
> more technical explanation of what we did, please let
James,
Can you send me an email ([EMAIL PROTECTED]) with your domain name? I'll
check on your server and see if it's misbehaving, and if so get it locked down
by the end of the day.
>Well, this isn't the case on my SmarterLinux server. I can still browse,
>download and view every file on th
> I thought I posted this the other day, but it didn't update for some reason.
> Here it is again:
Never let it be said that HostMySite.com doesn't listen to it's customers.
After much work we've been able to find a fix for the security issue that
allows safe execution of JSP and CF.
On our
From: "James Holmes" <[EMAIL PROTECTED]>
Sent: Thursday, June 02, 2005 11:01 PM
To: CF-Talk
Subject: RE: Shared CF Host security
Well, this isn't the case on my SmarterLinux server. I can still browse,
download and view every file on the server using JSP.
-Original Message-
Well, this isn't the case on my SmarterLinux server. I can still browse,
download and view every file on the server using JSP.
-Original Message-
From: Jamie Price [mailto:[EMAIL PROTECTED]
Sent: Friday, 3 June 2005 6:06
To: CF-Talk
Subject: Re: Shared CF Host security
Don'
Robertson [mailto:[EMAIL PROTECTED]
Sent: Friday, 3 June 2005 7:04
To: CF-Talk
Subject: Re: Shared CF Host security
Thanks for the post, Jamie. I actually have a SmarterLinux hosting acct
with you guys that runs my last-ditch server monitor for my dedicated
boxes. Not exactly top secret code bu
;contains real lemon juice"
figures @%*((&%
From: Matt Robertson <[EMAIL PROTECTED]>
Sent: Thursday, June 02, 2005 7:06 PM
To: CF-Talk
Subject: Re: Shared CF Host security
Thanks for the post, Jamie. I actually have a SmarterLinux hosting
acct with you guys that runs my last-ditch serv
Thanks for the post, Jamie. I actually have a SmarterLinux hosting
acct with you guys that runs my last-ditch server monitor for my
dedicated boxes. Not exactly top secret code but its nice to see you
guys make this effort, especially given how rare such effort is these
days.
--
--mattRobertson
> "We actually run two J2EE environments - JRun and Resin.
> While JRun does handle the Java processing for ColdFusion,
> Resin handles the requests for JSP pages and servlets.
What happens if you use getPageContext.include() from within a CFML page to
invoke a JSP page directly?
Dave Watts, C
Jamie Price wrote:
>
> "We actually run two J2EE environments - JRun and Resin. While JRun does
> handle the Java processing for ColdFusion, Resin handles the requests for JSP
> pages and servlets.
>
> Java implements a security policy system that can prevent access. We have
> implemented se
> Don't ever let it be said that we don't listen to the voices of our
> clients. :-)
and Jamie you are from what company?? ;-)
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
phone: 250.480.0642
fax: 250.480.1264
cell: 250.920.8830
e-mail: [EMAIL
Don't ever let it be said that we don't listen to the voices of our clients.
:-) We've implemented a fix for this security issue that spans all of our
Linux servers running ColdFusion. Here's a synopsis from one of the techs
involved in implementing the change:
"We actually run two J2EE envi
> At this point I might make a suggestion that you completely
> delete this thread before it gets googled.
> We know about the problem and a solution is being
> vigourously sought after but I see no point in having every
> hacker online alerted to this until a solution is found.
>
> IMO, rem
Excellent idea Dave
-Original Message-
From: dave [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 6:07 PM
To: CF-Talk
Subject: RE: Shared CF Host security
Mike D.
At this point I might make a suggestion that you completely delete this
thread before it gets googled.
We know
this thread will only benefit us all.
~Dave the disruptor~
From: Jamie Price <[EMAIL PROTECTED]>
Sent: Thursday, May 19, 2005 4:04 PM
To: CF-Talk
Subject: RE: Shared CF Host security
I'm trying to test one of the scripts provided to my b
forget I said that - I figured it out. :-)
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try
I'm trying to test one of the scripts provided to my by Dave in a Windows
environ but I'm getting this error:
500 Translator.WrongCase/buddman/jspbrowser/browser.jspbrowser.jspBrowser.jsp
Translator.WrongCase/buddman/jspbrowser/browser.jspbrowser.jspBrowser.jsp
Can anyone tell me how to make th
> You could delete the JIntegra directory from the harddisk,
> presumably that disables COM too :)
Actually, I'm not sure that would disable COM from CF. The stuff in that
directory consists mainly of helper and diagnostic applications. I suspect
you'd have to delete the jintegra.jar file within
>>
>> You will want to disable Java and COM. With CF 6.1 that means you
>> need to disable all object access, with CF 7 you can disable just
>> Java and COM.
>>
Are you referring to simply disabling the createobject(Java) and
createobject(COM) CFML functions?
~~
It's not that bad - you can still instantiate a CFC by using CFINVOKE on
a component that returns THIS. You just lose Java and COM.
-Original Message-
From: Calvin Ward [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 6:43
To: CF-Talk
Subject: Re: Shared CF Host security
The
Andy Allan wrote:
> On 5/19/05, Jochem van Dieten <[EMAIL PROTECTED]> wrote:
>>
>> You will want to disable Java and COM. With CF 6.1 that means you
>> need to disable all object access, with CF 7 you can disable just
>> Java and COM.
>
> There is currently a bug in CFMX7 sandboxing in that if yo
ccount directory. If
> you can provide some servers with this config (secure hosting servers)
> and others with the more relaxed JSP option, you take care of both sets
> of needs and I stop whining like a child.
>
>
> -Original Message-
> From: Jamie Price [mailto:
I would definitely entertain using sandbox security to limit the database
access, I trust that you're already using it to limit cffile access?
On 5/18/05 10:10 PM, "Jamie Price" <[EMAIL PROTECTED]> wrote:
>> At this point in the discussion I'd like to invite anyone who knows of a
>> shared host
Ah sweet UNIX - no worry about COM, sandbox or not.
-Original Message-
From: Andy Allan [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 4:33
To: CF-Talk
Subject: Re: Shared CF Host security
On 5/19/05, Jochem van Dieten <[EMAIL PROTECTED]> wrote:
>
> You will wan
On 5/19/05, Jochem van Dieten <[EMAIL PROTECTED]> wrote:
>
> You will want to disable Java and COM. With CF 6.1 that means you
> need to disable all object access, with CF 7 you can disable just
> Java and COM.
>
>
There is currently a bug in CFMX7 sandboxing in that if you disable
COM it also
security for users and allows CF to
continue to run. I suspect that this will be as hard to maintain as
other solutions, but if you can do it then great.
-Original Message-
From: Jamie Price [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 12:35
To: CF-Talk
Subject: RE: Shared CF Host
Jamie Price wrote:
>
> CFObject is insecure in v5.0
Correct.
> but with the advent of sandboxes I believe it was deemed safe in MX versions.
> If you believe I'm mistaken on that point please let me know.
I believe you are mistaken. If you allow cfobject, users can
enumerate applications an
>
>But with JSP enabled I am broadcasting my username and password to
>everyone on the server, as they can read my code.
>
Right - I was just trying to clarify that there were two separate issues at
hand there. The JSP one is definitely an issue; datasources on the other hand
run more to per
I have to say I've had great luck with serverbeach - myself and a few
others chipped in and got ourselves a farily high-end server at an end
cost to me of under $50/month.
Only catch was that we had to cough up for software licenses.
On 5/18/05, Damien McKenna <[EMAIL PROTECTED]> wrote:
> You mig
ers)
and others with the more relaxed JSP option, you take care of both sets
of needs and I stop whining like a child.
-Original Message-
From: Jamie Price [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 10:11
To: CF-Talk
Subject: RE: Shared CF Host security
>At this point in the d
>At this point in the discussion I'd like to invite anyone who knows of a
>shared host WITH A CLUE to give us all their details...
Dave alerted me to this thread and the problem with CFMX + JSP just today, so
I'm going to be investigating this as well on the HMS end. I can tell you that
the i
At this point in the discussion I'd like to invite anyone who knows of a
shared host WITH A CLUE to give us all their details...
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start trackin
From: dave [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 9:25
To: CF-Talk
Subject: RE: Shared CF Host security
I would imagine that they should be using a seperate instance of jsp and
not cfm's jsp for those on jsp.
That makes no sense huh?? haha
~Dav
5 9:22 PM
To: CF-Talk
Subject: RE: Shared CF Host security
Yep, I sent that article to HMS and their response was "Disabling JSP is
not an option". Fantastic, basic security is not an option.
-Original Message-
From: Joel Nath [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 200
8 May 2005 11:21
To: CF-Talk
Subject: Re: Shared CF Host security
>>everyone on the server can read the code so I'm
>>screwed no matter what I do.
Do you mean any other customer on the same host?
You don't even have a protected area with FTP access?
I would say this
Yep, I sent that article to HMS and their response was "Disabling JSP is
not an option". Fantastic, basic security is not an option.
-Original Message-
From: Joel Nath [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 May 2005 9:08
To: CF-Talk
Subject: RE: Shared CF Host securit
to see someone who has their own box to try it and see.
~Dave the disruptor~
From: Tim Laureska <[EMAIL PROTECTED]>
Sent: Wednesday, May 18, 2005 7:12 PM
To: CF-Talk
Subject: RE: Shared CF Host security
Dave... is the only way to beat this is get a
s their own box to try it and see.
~Dave the disruptor~
From: Tim Laureska <[EMAIL PROTECTED]>
Sent: Wednesday, May 18, 2005 7:12 PM
To: CF-Talk
Subject: RE: Shared CF Host security
Dave... is the only way to beat this is get a dedicated box?... at
Dave... is the only way to beat this is get a dedicated box?... at least
if your with CT or HMS
Tim
-Original Message-
From: dave [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 6:54 PM
To: CF-Talk
Subject: Re: Shared CF Host security
I got $10 that says its the same on your
I got $10 that says its the same on your server Claude.
~Dave the disruptor~
From: Claude Schneegans <[EMAIL PROTECTED]>
Sent: Wednesday, May 18, 2005 5:28 PM
To: CF-Talk
Subject: Re: Shared CF Host security
>>everyone on the server can r
>>everyone on the server can read the code so I'm
>>screwed no matter what I do.
Do you mean any other customer on the same host?
You don't even have a protected area with FTP access?
I would say this is not even a host, this is like sleeping in the street.
--
___
Connie DeCinko wrote:
> Serverbeach is a spammers haven.
They were such a nuisance there is a separate DSBL dedicated
exclusively to Serverbeach: serverbeach.blackholes.us
Verifying the position of an ISP / hoster on spam is very
important if you care about your email reaching the recipient.
Serverbeach is a spammers haven.
-Original Message-
From: Damien McKenna [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 11:33 AM
To: CF-Talk
Subject: RE: Shared CF Host security
You might as well look at other companies too, if you start looking at
dedicated servers:
http
You might as well look at other companies too, if you start looking at
dedicated servers:
http://www.serverbeach.com/
http://www.ev1servers.net/
Etc.
--
Damien McKenna - Web Developer - [EMAIL PROTECTED]
The Limu Company - http://www.thelimucompany.com/ - 407-804-1014
#include
> -Original
Speaking of CrystalTech, they have Windows *servers* for $80 monthly.
Anyone taken one of those on? Seems like a perfect mail server, and
if you add in BD instead and just don't use the mail server software
they give to you (which is good stuff BTW), its a cheapie CF server,
if your code can stom
G
> meetings.
>
>
> -Original Message-
> From: Tim Laureska [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, May 18, 2005 8:54 AM
> To: CF-Talk
> Subject: RE: Shared CF Host security
>
> Time for a dedicated box?
>
>
>
>
>
~~~
: Shared CF Host security
Time for a dedicated box?
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware
Time for a dedicated box?
-Original Message-
From: Connie DeCinko [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 11:34 AM
To: CF-Talk
Subject: RE: Shared CF Host security
All of my attempts with CT have fallen on deaf ears. They just keep
repeating that they checked all the
And I thought HMS was the end-all, beat-all of shared hosting??? Is that
smoke I smell behind me?
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 2:56 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Two of us have approached HMS so
EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 11:28
To: CF-Talk
Subject: Re: Shared CF Host security
Forget VPS? What could possibly make you say that?
VPS Accounts are *awesome*. VPS is the kind of hosting that I would want
as a developer if we didn't already offer it ourselves. And with prices
s
General laziness I guess, since that's what I'm experiencing right
now...
-Original Message-
From: Connie DeCinko [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 11:30
To: CF-Talk
Subject: RE: Shared CF Host security
Why would you not implement sandboxing? Seems ther
TED]
Sent: Wednesday, May 18, 2005 2:39 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Has anyone approached Crystaltech or Host My Site directly about this
problem?
~|
Discover CFTicket - The leading ColdFusion Help Desk a
Why would you not implement sandboxing? Seems there would be NO reason for
an hosting provider to not use it.
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 1:10 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Quite right, with
Forget VPS? What could possibly make you say that?
VPS Accounts are *awesome*. VPS is the kind of hosting that I would want
as a developer if we didn't already offer it ourselves. And with prices
starting at $18 per month (the same price as most starter shared hosting
accounts) and the absolute
Very comforting ... I'm sure CT would have a similar response maybe
its time to get a dedicated box
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 5:56 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Two of us have approached H
Two of us have approached HMS so far and I got the usual rubbish about
"it's shared hosting so tough." They aren't going to fix it.
-Original Message-
From: Tim Laureska [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 5:39
To: CF-Talk
Subject: RE: Shared C
Has anyone approached Crystaltech or Host My Site directly about this
problem?
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 18, 2005 4:10 AM
To: CF-Talk
Subject: RE: Shared CF Host security
Quite right, with properly configured local accounts and
-Talk
Subject: Re: Shared CF Host security
James Holmes wrote:
>
> A reasonable attempt at security would entail disabling JSP, disabling
> CFOBJECT/createObject() and sandboxing datasources and files.
Or just sandboxing files and not setting datasource passwords in the
administrator
James Holmes wrote:
>
> A reasonable attempt at security would entail disabling JSP, disabling
> CFOBJECT/createObject() and sandboxing datasources and files.
Or just sandboxing files and not setting datasource passwords in
the administrator.
Jochem
Sent: Wednesday, 18 May 2005 1:07
To: CF-Talk
Subject: Re: Shared CF Host security
So what exactly is the security issue? Username/password set in the
datasource? Full access to the file system?
~|
Logware (www.logware.us): a ne
So what exactly is the security issue? Username/password set in the
datasource? Full access to the file system?
- Original Message -
From: "James Holmes" <[EMAIL PROTECTED]>
To: "CF-Talk"
Sent: Tuesday, May 17, 2005 10:29 PM
Subject: RE: Shared CF Hos
r any wrapping in the url)
-Original Message-
From: Rey Bango [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 10:51
To: CF-Talk
Subject: Re: Shared CF Host security
Try what Dave? You have an example? I'd be glad to.
Rey...
dave wrote:
> you wanna try this on your host and see what
inal Message-
From: Rey Bango [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 10:51
To: CF-Talk
Subject: Re: Shared CF Host security
Try what Dave? You have an example? I'd be glad to.
Rey...
dave wrote:
> you wanna try this on your host and see what happens?
>
> ~
No need for apologies - I wouldn't have believed a host could be so lazy
either. I am wrong occasionally, you know (just not this time :-)
-Original Message-
From: dave [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 11:04
To: CF-Talk
Subject: Re: Shared CF Host security
btw~
I was wrong on this thread and publicaly I would like to apologize to James
for thinking he was being wacko :)
But again, if my "distruptor" wouldnt have gone off this might have gotten
passed over.
Again, James I'm sorry I doubted you and will never do so again ;)~
~Dave the disrupto
sent off list
~Dave the disruptor~
From: Rey Bango <[EMAIL PROTECTED]>
Sent: Tuesday, May 17, 2005 10:51 PM
To: CF-Talk
Subject: Re: Shared CF Host security
Try what Dave? You have an example? I'd be glad to.
Rey...
dave wrote:
> you
17, 2005 10:34 PM
> To: CF-Talk
> Subject: Re: Shared CF Host security
>
> I guess I'm trying to understand how your host can be so sloppy. I don't
> recall ever being on a shared hosting environment that had that problem.
>
> Forget VPS, get yourself a new host.
>
you wanna try this on your host and see what happens?
~Dave the disruptor~
From: Rey Bango <[EMAIL PROTECTED]>
Sent: Tuesday, May 17, 2005 10:34 PM
To: CF-Talk
Subject: Re: Shared CF Host security
I guess I'm trying to understand how your
t; <[EMAIL PROTECTED]>
Sent: Tuesday, May 17, 2005 10:33 PM
To: CF-Talk
Subject: RE: Shared CF Host security
Since the host is HostMySite (Smarterlinux actually, but same deal) I
would have expected more, but I'm inclined to agree with you.
-Original Message-
From: Joe Ri
I guess I'm trying to understand how your host can be so sloppy. I don't
recall ever being on a shared hosting environment that had that problem.
Forget VPS, get yourself a new host.
Rey..
James Holmes wrote:
> While security can never be perfect in a shared hosting environment, am
> I expectin
Since the host is HostMySite (Smarterlinux actually, but same deal) I
would have expected more, but I'm inclined to agree with you.
-Original Message-
From: Joe Rinehart [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 10:28
To: CF-Talk
Subject: Re: Shared CF Host security
the code so I'm
> screwed no matter what I do.
>
> -Original Message-
> From: dave [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, 18 May 2005 9:45
> To: CF-Talk
> Subject: Re: Shared CF Host security
>
> that would
Yes, that's my problem - everyone on the server can read the code so I'm
screwed no matter what I do.
-Original Message-
From: dave [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 9:45
To: CF-Talk
Subject: Re: Shared CF Host security
that wouldnt work because you c
that wouldnt work because you can see the tags
~Dave the disruptor~
From: Joe Rinehart <[EMAIL PROTECTED]>
Sent: Tuesday, May 17, 2005 9:37 PM
To: CF-Talk
Subject: Re: Shared CF Host security
Aye, good advice.
Having used a shared host, I'
et what you pay for. If you have shared hosting,
> you're
> not paying for security or safety, and any that you get is simply a
> happy
> coincidence."
>
> Ain't that the truth.
>
> -Original Message-
> From: Joe Rinehart [mailto:[EMAIL PROTECTED
have shared hosting,
you're
not paying for security or safety, and any that you get is simply a
happy
coincidence."
Ain't that the truth.
-Original Message-
From: Joe Rinehart [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 May 2005 9:14
To: CF-Talk
Subject: Re: Shared
Hi James,
There was a lengthly thread about this a few weeks ago, the archive has it at:
http://www.houseoffusion.com/cf_lists/messages.cfm/forumid:4/threadid:39776
Have a good one,
Joe
On 5/17/05, James Holmes <[EMAIL PROTECTED]> wrote:
> While security can never be perfect in a shared hostin
81 matches
Mail list logo