It's not exactly true that "all sorts of code other than CF" have these
sorts of problems in shared hosting environments. ASP.NET, for example,
isolates every application from all the others just to avoid these problems.
If you're running BlueDragon.NET, then your CFML inherits this application
isolation so that multiple users can use the same CFAPPLICATION name without
conflict. Also, with BlueDragon.NET, you don't have to turn off CFOBJECT to
avoid security issues; again, this is because the underlying ASP.NET runtime
insures that all applications are isolated from each other.
It just so happens that I'm working on my CFUNITED presentation on exactly
this topic right now:
http://www.cfunited.com/topics.cfm#168
Vince Bonfanti
http://blog.newatlanta.com
New Atlanta Communications, LLC
http://www.newatlanta.com
> -----Original Message-----
> From: Dave Watts [mailto:[EMAIL PROTECTED]
> Sent: Saturday, April 23, 2005 2:12 PM
> To: CF-Talk
> Subject: RE: CrystalTech Users Beware
>
> > > Hashing your app name isn't going to protect you from others on a
> > > shared server from looking in on you:
> > >
> > > <!--- application tracker object ---> <cfset appObj =
> > > createObject("java","coldfusion.runtime.ApplicationScopeTracker")>
> >
> > But sandbox security can turn that off...
>
> Well, yes, assuming that CFML code is your only route of
> attack. However, don't most shared hosting providers
> typically let you run all sorts of code other than CF? I
> think your best advice was what you said later in the thread
> - don't expect too much security on a shared server unless
> you're using server virtualization.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
>
> Fig Leaf Software provides the highest caliber
> vendor-authorized instruction at our training centers in
> Washington DC, Atlanta, Chicago, Baltimore, Northern
> Virginia, or on-site at your location.
> Visit http://training.figleaf.com/ for more information!
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:204132
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
