Don't ever let it be said that we don't listen to the voices of our clients. :-) We've implemented a fix for this security issue that spans all of our Linux servers running ColdFusion. Here's a synopsis from one of the techs involved in implementing the change:
"We actually run two J2EE environments - JRun and Resin. While JRun does handle the Java processing for ColdFusion, Resin handles the requests for JSP pages and servlets. Java implements a security policy system that can prevent access. We have implemented security managemetn in the Resin server to prevent JSP pages from being able to read arbitrary files on the server. We have restricted code from each customer's home directory to: 1) a lengthy list of files and directories that Java and Resin require internally 2) log files for the site and for Resin 3) that customer's home directory." So, security in a shared hosting environment isn't exactly a myth, it just takes a little more work and flexibility. If anyone needs a more technical explanation of what we did, please let me know via email and/or a post here and I'd be happy to assist. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208454 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
