Macromedia Security Zone Bulletin [MPSB04-10]
Macromedia recently posted a security bulletin for CFMX. This was in response to a privilege escalation vulnerability and it recommends that the CFOBJECT tag and the CreateObject function
should be secured in a shared or untrusted developer environment.
Mach-II is dependent on the CreateObject function so locking it down will break it. Fortunately, the hosting provider where mach-ii.info is hosted uses CFMX Enterprise. With CFMX Enterprise, sandbox security can be implemented and the vulnerability is not an issue.
Anyone run into issues where their hosting provider locks down CreateObject and breaks Mach-II?
should be secured in a shared or untrusted developer environment.
Mach-II is dependent on the CreateObject function so locking it down will break it. Fortunately, the hosting provider where mach-ii.info is hosted uses CFMX Enterprise. With CFMX Enterprise, sandbox security can be implemented and the vulnerability is not an issue.
Anyone run into issues where their hosting provider locks down CreateObject and breaks Mach-II?
2 Comments:
Could you explain how sandbox security solves this problem please?
Sandbox security allows you to define an "sandbox" for each site that only has access to certain resources. Typically, a site would only be given access to files under the site root. Any attempts to access files outside the root, say in the CFMX directory, would be disallowed. There's actually a good article about sandbox security in this month's ColdFusion Developer's Journal.
Post a Comment
<< Home