well if they do that then they clealry have no idea no what they are doing with CF, as many don't.
The only things that need to be disabled are CFEXECUTE CFREGISTRY Createobject(com) CreateObject(java) It it a bit of a catch 22 though, as most customers need CreateObject(java) these days, if you don't enable it then you lose customers, if you enable it you risk your security. If your security gets compromised, all those customers who insisted on having it enabled will then blast you for doing so. On Thu, Aug 11, 2011 at 1:46 PM, Raymond Camden <[email protected]>wrote: > > Well, I've definitely seen hosts block createObject(component) as well. > > On Thu, Aug 11, 2011 at 7:11 AM, Russ Michaels <[email protected]> > wrote: > > > > I think you misunderstand what he meant ray, CFC's are not blocked, that > > would be silly, , but some of the functionality BlogCFC and many other > apps > > require is CreateObject(java) and many even use the CF runtime. Many > hosts > > block these for good reason, as they circumvent any sandbox security that > > may be setup and do present a security issue. > > Unfortunately most developers simply do not understand the security side > of > > things and do not consider shared hosting when developing their apps, so > > their answer is always "find another host host", which invariably means > > "find an insecure host who don;t care about security". > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346686 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
