RE: New Cold Fusion vulnerability

["Giovannetti, Mark" <Mark.Giovannetti () CCRS NRCan gc ca>]

> Maybe we are just paranoid, but since Allaire/Macromedia just released 
> vesion 5 which is not vulnerable, is this just a ploy to get people to 
> upgrade? This and the fact that there is a 3-8% performance degredation 
> when you install the patch makes me want to know more about this. Also, 
> if you are using NT4 and IIS, the patch breaks your server if you don't 
> install MSVCRT 6.0 runtime files beforehand, so be careful.
>
> Anyone have any further info?
>
> JF Prieur

I'd just like to mention that if you have your IIS server locked
down such that the IUSR_machine account has no access
(explicit deny) to %systemroot%\system32\  you'll run
into an authentication problem.

You'll have to grant read access to the file MSVCP60.dll
for the IUSR_machine account and may have to grant a
similar permission to ISCF.dll in your cfusion\bin directory.

For those of you who still allow the use of the Everyone group
on your machines or do not use explicit deny ACLs for the 
IUSR_machine account, this will not be an issue.

I'd also like to state that I wasn't impressed with the often
urged "upgrade to v5.0" to fix the problem and how "nice" it
was of them to supply fixes for three previous releases. 
Like they're doing us a huge favour.  I would certainly like
to know more details.


Mark Giovannetti