|
|
|
|
| |
When ColdFusion Advanced Security Sandbox (type=Operating System) is configured, processes created with <CFEXECUTE> do not inherit the Sandbox security context. Instead <CFEXECUTE> executes with the security context of the ColdFusion Service. This is the "System" account by default.
Web Hosting providers, particularly, are advised to disable the <CFEXECUTE> tag if they rely on Sandbox Security to restrict users' access based on Windows NT Domain accounts.
User-written programs which can be executed via <CFOBJECT> or user-written CFX extensions may be vulnerable if they call the Windows CreateProcess() function. Developers should be aware that this function could allow users to escape the confines of Sandbox security. The <CFOBJECT> tag can also be disabled in ColdFusion Administrator. |
| |
Credit:
The information has been provided by Macromedia Security Alert.
|
| |
Affected software versions:
* ColdFusion 4.5 Enterprise Edition on Windows
* ColdFusion 5 Enterprise Edition on Windows
The Windows CreateProcess() function, which is used by , does not retain the "impersonation token" used to implement OS type Sandbox Security
Please reference the following Microsoft article:
* Q111545 - Security Context of Child Processes
What macromedia is doing:
Macromedia has published this bulletin, notifying customers of the problem
What customers should do:
Macromedia encourages customers who use Security Sandbox to consider disabling the <CFEXECUTE> tag, and to review any user-written software accessed via the <CFOBJECT> as well as their installed CFX extensions.
Please note: As always, customers should test changes in a testing environment before modifying production servers.
|
|
|
|
|
|
|
|
|
|
