without sandboxing (cf enterprise required) if all tags are enabled, any user can read/write files anywhere on the server. Even if lockdown procedures arr used, coldfusion will at bare allow all users access to each others sites even if not the whole server. Any other customers on the server can therefore easily hack your site, put phishing code or viruses on your site, steal your database (customer information etc), harvest credit card details from your payment pages, and anything else you can imagine. Any customer could also at any time simply delete your site, or take the entire server down.
The problem is that most people looking for hosting are clueless about the server.security side of things, they just want all features for the lowest price and do not consider the consequences. But then when the server goes down or your site does get hacked, who are you going to blame? The host for having all these things enabled in the first place (which you wanted) or will you blame yourself for using a cheap host that has everything enabled. Let me also point out that this is down to the way JAVA works, as all requests run in the context of the service not the web server authentication. Most hosts rely on their hositng control to manage the security side of things, which they do for things like PHP/ASP etc, on IIS for example a new windows user is created for each website and that website runs under that user, who only has permission to access that website root and certain system folders. So when a .php file runs it cannot read/write outside the webroot. Any host that is not doing this is also allowing system wide read/write/execute for all scripting languages. When a .cfm page it runs as the user that the ColdFusion service is running as, which has full system access. Many cheap hosts simply install ColdFusion Professional on the server and presume it works just like PHP or ASP, and will be as clueless to the security issues as their customer. Installing and offering ColdFusion hosting is not really the same as supporting it. To support it, you have to actually know what you are doing and be aware of the security risks. People will often say "just run your own instance" you don't get this option on shared hosting as it is then not shared hosting. Running your own instance consumes quite a bit of system resources and is akin to running your own VPS as its your own copy of CF with its own CFadmin that you manage yourself, and you wont get either for $5 per month i'm afraid. As the saying goes, you get what you pay for. If your site is actually your primary source of income, then presumably it is quite important to you, therefore you should be prepared to spend more than a few bucks a month on it, otherwise you are just shooting yourself in the foot. You can get a VPS from £20 per month these days, so really anyone can afford this, how much does your site generate for you each month? a lot more than £20 I bet. You don't even need technical skills these days as you can use a hosting control panel to do everything. If you had to buy a new RELIABLE car to get you to/from work, would you buy a cheap £50 car that you have to share with 500 people ? -- Russ Michaels www.cfmldeveloper.com Supporting the CF community since 1999 FREE ColdFusion/Railo hosting for developers. www.bluethunderinternet.com Professional ColdFusion hosting my blog: www.michaels.me.u ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339033 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
