ColdFusion Sandbox Security vulnerability

Adobe released a security advisory yesterday and it was reported by yours truely!!

I was quite surprised to find a problem and thought it was just me messing something up with sandboxes and the cfc I was messing with, so I asked Andy Allan to see if he could see what I was doing wrong!

Turns out, for once, I was actually getting it right and that this was a bug. Andy kindly reported it to the powers that be and a fix was included in the 7.0.2 update. If you're using sandboxes and haven't already installed the updater then I would recommend that you do.

UPDATE : On the Scottish CFUG Google Group Alan Williamson asked about the process involved in the security issue. In my absense Andy Allan gave a nice clear explaination of the problem, so rather than rewrite it here's what Andy said :

A sandbox is essentially a "self contained" area on the file structure which a user has access to.

So, in shared hosting which is where your sandboxing would come into play, you could have something like:

c:\www\user1
c:\www\user2
c:\www\user3

You would set up a sandbox for each user allowing them access ONLY to their particular folder.

You can set further restrictions in regards, tags, functions, datasouces, etc as well.

In this particular case - I know, because I verified the issue - CFCs outside the users sandbox could still be called by cfm files within a sandbox. CFM files outside the sandbox could not be called.

TweetBacks
Comments
You're a good man! thank you
# Posted By Alan | 3/13/08 9:39 PM