Comments on: Adobe security hotfix for ColdFusion 7.0.2 / 8.0.0 / 8.0.1

By: “it could be bunnies” » Blog Archive » Shared hosting security wishlist

Tue, 06 Jan 2009 20:26:27 +0000

[...] I have posted a number of posts on the state of shared hosting security. Unfortunately we have to conclude [...]

By: Jochem

Jochem — Sun, 30 Nov 2008 20:11:06 +0000

I’ll be publishing a number of articles about shared hosting security shortly. Those articles should provide plenty of examples on how to exploit shared ColdFusion hosting from the inside. I just have to finish the editing and clean up the example code.

By: Sebastiaan

Sebastiaan — Thu, 27 Nov 2008 13:55:25 +0000

So what was your issue with Webstekker? Maybe you can enlighten me off-site (privately via e-mail). I’m VERY happy with Webstekker at the moment.

By: Jochem

Jochem — Sun, 16 Nov 2008 22:09:34 +0000

I find it very hard to believe that IIS suddenly asking for credentials can be related to the hotfix. Just think about how ColdFusion is really an application server that stands alone and runs in its own memory space. Only a very small part is loaded into the webserver, the webserver connector in the wsconfig diectory. The only way IIS is ever going to give a credentials error is if there is a credential problem in that webserver connector part. The hotfix does not alter the connector so it is not the cause of the IIS credentials errors.

Apart from that I have recently helped somebody move away from Webstekker because of the security configuration of their servers. This hotfix is really the least of their problems.

By: Sebastiaan

Sebastiaan — Sun, 16 Nov 2008 18:04:35 +0000

Hi Jochem,

I got our hostingprovider Webstekker to install this hotfix on their webservers (shared hosting) and it jammed up all the CF 8.0.1 installations. Any ideas to why? It suddenly asked for credentials in IIS. Not really related, I know, but CF8 with the hotfix installed all crashed regularly.

By: Josh Adams

Josh Adams — Tue, 11 Nov 2008 21:46:04 +0000

Thanks for your help in identifying and resolving this issue, Jochem!

By: Matt Quackenbush

Matt Quackenbush — Sat, 08 Nov 2008 19:10:33 +0000

@ Jochem- Thanks. That is exactly what I would expect.

By: Jochem

Jochem — Fri, 07 Nov 2008 17:40:38 +0000

All our SQL Server datasource connections work correctly without passwords in every query. That is on CF 8.0.1 Enterprise in multiserver configuration though.

By: Matt Quackenbush

Matt Quackenbush — Fri, 07 Nov 2008 17:16:50 +0000

Jochem,

A user on the Sava forums indicated that installing this patch caused all of his SQL Server connections to now require credentials to be passed with the tag. I can’t fathom that being the intended behavior. I would be interested in your thoughts.

http://www.gosava.com/sava/forum/messages.cfm?threadid=74390482-F355-D392-F9B164567059F345&page=1

Thanks.

By: Jochem

Jochem — Fri, 07 Nov 2008 10:20:22 +0000

Considering the nature of the Sandbox Security issues I have so far personally reported to Adobe I am leaning towards a lack of prying eyes. For the issue described in MPSB01-11 the engineers told me I was probably the only one in the world using the combination of features that caused the issue.