"however it was discarded I believe because clients can attain the same level of security by simply adding a user/pass to their code via the Application.cfm and referencing the datasource that way."
But with JSP enabled I am broadcasting my username and password to everyone on the server, as they can read my code. As dave suggested, a slight reorganisation of servers (or even instances on the same server) such that some run JSP and some don't would suffice. Customers needing JSP can take their chances on those servers and those who want some security can have the servers wherein it is disabled. For a shared host, the best CF security involves turning off JSP, disabling CFOBJECT and createobject() for all customers and sandboxing files for every app to allow access to only the account directory. If you can provide some servers with this config (secure hosting servers) and others with the more relaxed JSP option, you take care of both sets of needs and I stop whining like a child. -----Original Message----- From: Jamie Price [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 May 2005 10:11 To: CF-Talk Subject: RE: Shared CF Host security >At this point in the discussion I'd like to invite anyone who knows of >a shared host WITH A CLUE to give us all their details... Dave alerted me to this thread and the problem with CFMX + JSP just today, so I'm going to be investigating this as well on the HMS end. I can tell you that the initial reason why JSP can't be locked down is that a number of clients are using it for a legitimate purpose - we can't just shut it off and tell those clients that we suddenly became security-conscious and they have to deal and find a shoddy host that will let them run their app. On the other hand, I can't see us allowing this to continue either. Just because you're on a shared host it doesn't mean that you're on an insecure server. It will never be as tightly locked down as a dedicated server (or even a VPS, which is new at HostMySite) however that doesn't mean you're publishing your code for the world to see. IF that were the case we would change our name to HostMyBBS. :-) Seriously, I will be taking this up with the CEO and COO tomorrow, and we'll be looking into possible alternatives so everyone gets what they want. I suspect the solution will be a little different for Windows as opposed to the Linux-based sites, however I'm not fluent in CFMX/JSP so I can't say for certain. If any of you have any suggestions that would accomplish both the functionality and the security, I'd be more than happy to entertain them and bring them before the CEO. I can assure you that your suggestions will not be brushed aside lightly for ANY reason. Along a similar vein, locking down datasources via sandbox security was at one time considered, however it was discarded I believe because clients can attain the same level of security by simply adding a user/pass to their code via the Application.cfm and referencing the datasource that way. We will add the user/pass to the DSN upon request, however we ALWAYS tell clients before doing so that they are basically inviting other users on the server to read/write to their database. If you have any questions and the CF mods have no problems with my being here, please feel free to post them and I'll either answer them to the best of my ability or find another rep from HostMySite.com who can. Jamie Price Email Administrator, Sr. Tech Support Rep HostMySite.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207113 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
