Sandboxing is a must if you want any kind of security for your customers. The Admin API lets you create all the sandbox rules programatically.
mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/3/18 TJ Downes <[email protected]>: > > I would appreciate advice from anyone who has experience with this topic in a > production shared host environment. > > I've read through the docs on inxstalling CF and noted that the only things > they've encouraged are disabling RDS and JSP for shared hosting. Ive also > disable cfobject, cfschedule, cfldap, cfregistry, cfthread, cfexecute and all > the cfexchange tags. > > Now I am a little confused as to how I prevent users from accessing other > user's DSNs and also how to prevent them from accessing other website's files > using cffile/cfdirectory, or even maliciously destroying/modifying verity > collections created by other users. > > If I am right, I should also be disabling createObject for .NET, COM, CORBA > and Java, but are there any other functions I should disable? > > Ideally I think each site should have it's own sandbox, but I think doing > this programatically as each site is generated by the control panel software > would be tedious. If you have any suggestions here they would be much > appreciated. > > Any other suggestions or advice you have to help me ensure the server is > secure would be very much appreciated. > > Also to note that this is on Windows 2008 with IIS7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320573 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
