CreateObject(com) is very dangerous and should never be enabled on a shared server. DANGER will Robinson. All the sandbox does is either enable or disable this function, as your calling a COM object which has nothing to do with JAVA it is run totally outside of the sandbox permissions. Again it would execute with the same permissions as the java/coldfusion service.
CreateObject(java) is not much better as it allows you to execute any java function. CF9 did finally address this by allow you to restrict certain methods so you can for example block access to the Service Factory (cfadmin settings). However as pretty much every framework/app need this function and also needs the classloader, to disable this function would mean crippling ColdFusion for most people. So it is a security risk most hosts have to take. Really this should also never be enabled on a shared server either as it cannot truly be locked down, CreateObject(corba) is would assume is the same as the above, but I have no idea what the hell corba is and it is not installed on any of our servers anyway. So at the end of the day, no ColdFusion host can be 100% secure unless they cripple the service and disable functionality the most customers are going to need. So if you want security you will definitely need your own server. -- Russ Michaels www.cfmldeveloper.com - Supporting the CF community since 1999 FREE ColdFusion/Railo hosting for developers. blog: www.michaels.me.uk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339037 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
