There is a security problem / use problem with CF's Data Source Name.
When a DSN is put into the administrator with account and password, the DSN
becomes available to all applications on the server. In a shared hosting
environment, DSN are very easy to discover. This means untrusted users can
compromise any shared user.
The current security strategy is to not use accounts and passwords in the
admin but to put in the application with every cfquery. This strategy cases
other programming and connection programs.
I would like to see another level of DSN support at application scope.
Still use the strategy of no accounts and passwords in the administrator at
server scope, but put a new DSN that runs at the application scope which
has the account and password. Or leave the account and password in the
server scope but with a constraint bound to application scope.
Joseph
-----------------------------------------------------------------------
http://www.switch-box.org/CFSQLTool/Download/
Switch_box MediaFirm, Inc.
www.Switch-box.org Loveland, CO USA
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
[email protected] with the words 'unsubscribe cfcdev' as the subject of the
email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
CFCDev is supported by New Atlanta, makers of BlueDragon
http://www.newatlanta.com/products/bluedragon/index.cfm
An archive of the CFCDev list is available at
www.mail-archive.com/[email protected]
