[analog-help] Execution via webpage question.

Jeremy Wadsack jeremy at 7simplemachines.com
Fri Mar 23 15:05:42 PST 2007 

Henry - 

Based on your responses to some of our questions I would strongly recommend that you wrangle a couple minutes from one of your IT guys to review your CF code for security concerns. Any time you run an executable on a server driven by a public web page you create all kinds of potential security issues. For example allowing the user to determine the filename may allow a nefarious user to overwrite files on your server.

--
 
Jeremy Wadsack
Seven Simple Machines


> -----Original Message-----
> From: analog-help-bounces at lists.meer.net [mailto:analog-help-
> bounces at lists.meer.net] On Behalf Of Henry Silvia
> Sent: Friday, March 23, 2007 11:11 AM
> To: Support for analog web log analyzer
> Subject: RE: [analog-help] Execution via webpage question.
> 
> Aengus,
> 
> Thank you for your insight - I believe we came to the same conclusion.
> I've
> gotten it to work! I think the issue was that my CFG writter was not
> including the entire physical path to the LOG folders... When executed
> "locally" analog.exe looked in its parent folder for the log folders, but
> when executed remotely (from the BIN folder of CF, where cfexecute sends
> commands from) it could'nt find the logs. It appears this had nothing to
> do
> with permissions. Thanks again!!
> 
> Henry
> 
> -----Original Message-----
> From: analog-help-bounces at lists.meer.net
> [mailto:analog-help-bounces at lists.meer.net]On Behalf Of Aengus
> Sent: Friday, March 23, 2007 1:41 PM
> To: Support for analog web log analyzer
> Subject: Re: [analog-help] Execution via webpage question.
> 
> 
> Henry Silvia <hgs at visualspectrum.com> wrote:
> > Aengus,
> >
> > The only parameters I allow the user to alter in the CFG re-write are
> > Reportname (report.html) So they can create various reports to save
> > as HTML pages, and the to and from dates for range. CFEXECUTE is
> > simply sending the server a START command on the named file (with the
> > credentials the CFServer lives in as an installed app, I assume).
> >
> > Considering that the manual launching of the analog.exe OR the run.bat
> > (start analog.exe) seems to execute just fine regardless of log
> > amount or size, I am left to wonder about the permission issues. I
> > have investigated adding a "RunAs" command into my BAT file, but It
> > responds to the webpage "Password?"
> 
> Okay, if you're seeing "Password?" show up in your browser, then
> CFEXECUTE is capturing STDOUT, and redirecting it back to the browser.
> I'd suggest that you rem the OUTFILE command from your analog.cfg and
> see what you get back.
> 
> > and I have yet to find the proper
> > syntax for including it in the command. My thought was if I could
> > "RunAs" the admin (as I am when I click the analog.exe) it would
> > execute the same way. I will look into the PL file now and see if
> > there are more access issues.
> 
> Don't start chasing down access issues unless you know where to look -
> you'll be at it forever. using RunAS isn't going to be very helpful, as
> you've already got the process running under IUsr.
> 
> I'm reasonably certain that Analog will exit if it can't access a file,
> it won't hang about trying to get access. So I don't think you're
> dealing with an access issue.
> 
> I'd suggest that you try a very simple "Hello World!" test. Create a
> batch file that jhust echoes "Hello World!". If that works, modify it to
> do DIR C:\Analog /S (or where ever you have installed Analog).  Then
> modify it again to ECHO some text into a file in that directory, and
> then type that file. That will tell you whether you have access issues
> in that directory.
> 
> You should also add ERRFILE to your analog.cfg, to see if it turns up
> anything useful.
> 
> Aengus
> 
> 
> 
> +------------------------------------------------------------------------
> |  TO UNSUBSCRIBE from this list:
> |    http://lists.meer.net/mailman/listinfo/analog-help
> |
> |  Analog Documentation: http://analog.cx/docs/Readme.html
> |  List archives:  http://www.analog.cx/docs/mailing.html#listarchives
> |  Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
> +------------------------------------------------------------------------
> 
> +------------------------------------------------------------------------
> |  TO UNSUBSCRIBE from this list:
> |    http://lists.meer.net/mailman/listinfo/analog-help
> |
> |  Analog Documentation: http://analog.cx/docs/Readme.html
> |  List archives:  http://www.analog.cx/docs/mailing.html#listarchives
> |  Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
> +------------------------------------------------------------------------

More information about the analog-help mailing list