In this case, full read access to the filesystem via JSP (meaning that even if passwords are not set in the CF Admin, they can be obtained from the code) and no sandboxing of datasources (on my account at least, but that may be irrelevant since JSP is installed). That's all it took to accomplish this example, but I could have done more as CFOBJECT / createObject() are also enabled.
A reasonable attempt at security would entail disabling JSP, disabling CFOBJECT/createObject() and sandboxing datasources and files. -----Original Message----- From: Jim McAtee [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 May 2005 1:07 To: CF-Talk Subject: Re: Shared CF Host security So what exactly is the security issue? Username/password set in the datasource? Full access to the file system? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206988 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
