The items that have to be disabled completely keep me off of shared hosting.
Not having cfobject/createobject in CFMX is like running a race with your nikes tied together dangling around your neck instead of on your feet! - Calvin On 5/18/05 10:21 PM, "James Holmes" <[EMAIL PROTECTED]> wrote: > "however it was discarded I believe because clients can attain the same > level of security by simply adding a user/pass to their code via the > Application.cfm and referencing the datasource that way." > > But with JSP enabled I am broadcasting my username and password to > everyone on the server, as they can read my code. > > As dave suggested, a slight reorganisation of servers (or even instances > on the same server) such that some run JSP and some don't would suffice. > Customers needing JSP can take their chances on those servers and those > who want some security can have the servers wherein it is disabled. > > For a shared host, the best CF security involves turning off JSP, > disabling CFOBJECT and createobject() for all customers and sandboxing > files for every app to allow access to only the account directory. If > you can provide some servers with this config (secure hosting servers) > and others with the more relaxed JSP option, you take care of both sets > of needs and I stop whining like a child. > > > -----Original Message----- > From: Jamie Price [mailto:[EMAIL PROTECTED] > Sent: Thursday, 19 May 2005 10:11 > To: CF-Talk > Subject: RE: Shared CF Host security > >> At this point in the discussion I'd like to invite anyone who knows of >> a shared host WITH A CLUE to give us all their details... > > Dave alerted me to this thread and the problem with CFMX + JSP just > today, so I'm going to be investigating this as well on the HMS end. I > can tell you that the initial reason why JSP can't be locked down is > that a number of clients are using it for a legitimate purpose - we > can't just shut it off and tell those clients that we suddenly became > security-conscious and they have to deal and find a shoddy host that > will let them run their app. > > On the other hand, I can't see us allowing this to continue either. > Just because you're on a shared host it doesn't mean that you're on an > insecure server. It will never be as tightly locked down as a dedicated > server (or even a VPS, which is new at HostMySite) however that doesn't > mean you're publishing your code for the world to see. IF that were the > case we would change our name to HostMyBBS. :-) > > Seriously, I will be taking this up with the CEO and COO tomorrow, and > we'll be looking into possible alternatives so everyone gets what they > want. I suspect the solution will be a little different for Windows as > opposed to the Linux-based sites, however I'm not fluent in CFMX/JSP so > I can't say for certain. > > If any of you have any suggestions that would accomplish both the > functionality and the security, I'd be more than happy to entertain them > and bring them before the CEO. I can assure you that your suggestions > will not be brushed aside lightly for ANY reason. > > Along a similar vein, locking down datasources via sandbox security > was at one time considered, however it was discarded I believe because > clients can attain the same level of security by simply adding a > user/pass to their code via the Application.cfm and referencing the > datasource that way. We will add the user/pass to the DSN upon request, > however we ALWAYS tell clients before doing so that they are basically > inviting other users on the server to read/write to their database. > > If you have any questions and the CF mods have no problems with my > being here, please feel free to post them and I'll either answer them to > the best of my ability or find another rep from HostMySite.com who can. > > Jamie Price > Email Administrator, Sr. Tech Support Rep HostMySite.com > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207128 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
