Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
MPSB03-02 - Using Windows NT Authentication and Windows file permissions
Author: Jesse Houwing
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106712
----- Excess quoted text cut - see Original Post for more -----
If you have the ISAPI filer on, and haven't checked the "file exists"
then your username/password are negated, and all requests to .cfm file
are handled under the Coldfusion MX user context regardless of what you
enetered.
----- Excess quoted text cut - see Original Post for more -----
Which normally is the Localsystem account, which will grant CFMX all
access. Running CFMX under a different user isn't as easy as it might
seem. Just changing the usercontext didn't do the trick here, it
requires a bunch of registry/ACL changes too.
----- Excess quoted text cut - see Original Post for more -----
Yes it is.
Jesse
Author: Jesse Houwing
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106711
Jochem van Dieten wrote:
----- Excess quoted text cut - see Original Post for more -----
One does get asked, but any username/pass is accepted (empty too), as
CFMX doesn't do an ACL check, it just accepts the ucsername/pass.
Jesse
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106705
Dave Watts wrote:
----- Excess quoted text cut - see Original Post for more -----
Filters may take over control of a request before authentication, while
extensions are always after authentication.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iisref/html/psdk/asp/isgu744y.asp
> If any Macromedia people want to shed more light on the nature of the IIS
> authentication problem, I'd appreciate it.
I would like to know what event notifications are used by the jrun
filter and what SF_STATUS code it returns.
Jochem
Author: brook
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106676
I don't see that happening. I am still prompted for a u/p. Maybe because
the server does not have Updater 2 installed. I'll doublecheck - thanks.
brook
At 01:12 AM 2/3/2003 +0100, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106675
brook@maracasmedia.com wrote:
> Well, for an administrative tools directory, off the root of a site. If the
> ACL's deny access to the IUSR account, any unauthenticated user is prompted
> to enter their username/password to access the cfm files within that
> directory (or if the files them self have these ACL's).
It is my understanding that unless you switch on "Check that file
exists" nobody is asked for their u/p.
Jochem
Author: brook
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106673
Well, for an administrative tools directory, off the root of a site. If the
ACL's deny access to the IUSR account, any unauthenticated user is prompted
to enter their username/password to access the cfm files within that
directory (or if the files them self have these ACL's).
Is that enough security for a password protected directory. An attacker
would still have to guess/brute force the password to gain access to those
files/directories right?
Brook
At 11:18 PM 2/2/2003 +0100, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106671
brook@maracasmedia.com wrote:
> If the ACL's rules still apply, are they enough to use to restrict access?
Could you elaborate? What do you want to do?
Jochem
Author: brook
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106669
If the ACL's rules still apply, are they enough to use to restrict access?
At 10:42 PM 2/2/2003 +0100, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106666
brook@maracasmedia.com wrote:
> Yikes - that would mean we would have to recode basically every app we have
> ever made that has and web accessible admin directory. Do you think it
> would be safe to use a cold fusion scripted login routine instead of ACL's
> and WIndows Authentication.
If you can write a decent login it should be no problem.
> Does anyone know how this exploit is exploited? What context is the CFM
> template executed under? Is the application.cfm file still executed?
Think of it as a priorities issue. Until CF MX the priority of the IIS
security filter was higher as the priority of CF, so first the IIS
security was checked and then the control was passed on to the CF Service.
Now with CF MX the priority of the filter that intercepts for CF MX and
and redirects them to CF MX is higher as the priority of the IIS
Security filter. So the request is passed on to the CF MX service before
IIS security settings are checkd. But it is still a normal request, and
all the normal ACL rules still apply.
Jochem
Author: brook
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106637
Ok Thanks :) I guess my next question is:
Is there any way to use the "check that file exists" setting in IIS while
using SES URL's.
Example: http:www.mysite.com/index.cfm/fuseaction/display/
Brook
At 05:05 AM 2/2/03 +0000, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: mark brinkworth
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106636
Forgot to include another link that may help you
http://www.securitytracker.com/alerts/2003/Jan/1006023.html
Cheers
--- brook@maracasmedia.com wrote: > Hello Weekenders,
----- Excess quoted text cut - see Original Post for more -----
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
Author: mark brinkworth
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106635
My understanding of this was that anybody could run
the CFM template regardless of their NTFS file
permissions, for that template.
Cheers
--- brook@maracasmedia.com wrote: > Hello Weekenders,
----- Excess quoted text cut - see Original Post for more -----
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
Author: brook
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:21111#106633
Hello Weekenders,
I'm sure most of you got the MM Security bulletin the other day
(http://www.macromedia.com/security). I am trying to figure out what the
security breach is if the steps outlines in the Security Bulletin are not
taken. It doesn't describe what level of access an attacker could gain
through this exploit. And since we use the SES Url's
(mysite.com/index.cfm/myvar/myvarvalue/), I can not easily implement this
security fix because checking the "check that file exists" box in IIS
causes 404's since, the file name is buried in the query string.
So If any one can fill me in on the severity of this exploit and then I can
appropriately decide if I need to make some serious changes to multiple
sites or find an alternative.
Thanks
Brook Davies
maracasmedia
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
