Anyone not running advanced security on CFMX in a hosting environment isn't bright. They couldn't have made it any easer. At www.HostMySite.com we run advanced and it works very well.
Neil ----- Original Message ----- From: "Alex Hubner" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Sunday, July 21, 2002 4:13 PM Subject: Re: CFHTTP, security hole? > Yea, I've read about this problem with CFPOP somewhere... Spooky! > > Anyway, is more than clear that now CFMX is the choice for hosting > providers. > > Thanks! > Alex > > > > ---------- Mensagem original ----------- > > > > De : Jochem van Dieten <[EMAIL PROTECTED]> > > Para : CF-Talk <[EMAIL PROTECTED]> > > Cc : > > Data : Sun, 21 Jul 2002 20:00:17 +0200 > > Assunto : Re: CFHTTP, security hole? > > > > Alex Hubner wrote: > > > > > > Pull_action.cfm (on my remote server): > > > _________ > > > <CFHTTP METHOD="get" > > > URL="http://www.source_server.com.br/anyfolder/#url.anyfile#"; > > > PATH="d:\anyfolder" FILE="#url.anyfileToSave#"> > > > > > > Well, as you can see this code "uploads" the 'anyfile' file to the > > > > D:\anyfolder in the remote server. As many shared hosts, using bas > ic > > > security, allow CFHTTP operations but disallow CFFILE operations ( > for > > > security reasons) this can be a security problem since I can repla > ce > > > any file, including those under C:\winnt\system32 and also under > > > other website folder... This can be considered a security problem? > As > > > far as I can see there's a LOT of shared hosts companies using CF > > > Basic Security (disabling all tags)... CFHTTP cannot be disabled i > n > > > this scenario. Advanced Security solves it? > > > > cfhttp and cfpop (automatic retrieval of attachments and overwriting > of > > existing files) have this problem. In CF 5 this can be resolved usin > g > > Sandboxes if you have Enterprise edition, not using just Advanced Se > curity. > > In CF MX you should be able to resolve this using Sandbox Security a > s > > well, but I haven't finished testing it so I do not speak from exper > ience. > > http://livedocs.macromedia.com/cfmxdocs/Administering_ColdFusion_MX/ > Security3.jsp > > > > Jochem > > > > > ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
