It's only a security hole depending on how you look at it. From an ISP point of view, using a shared server with other sites, yes, this is a problem, however, from a developer point of view, sometimes, using cfcontent or cffile is quite necessary. If I were an ISP, hosting a shared server, they'd be off too. Unfortunately, you're running into one of the problems of using an ISP and sitting on a shared box. Yes, it is cheaper to share a CF machine with other ISP customers, however, as you're finding out, you ending paying in the long run because you typically do not have the control over the box that you need. (Not to mention the case of another customer on the same box running some code with an infinite loop and BAM! the server is kaput). You pretty much have two options (short of serving your pages in-house): 1) Collocate your own machine with an ISP. You and only you have control of the machine. 2) Work a deal with the ISP to give you a single machine, no shared customers, that they would allow you to turn back on the risky tags. Again, no shared customers is safe, no bad or malicious code to slow or destroy the server, and the ISP will feel safe about turning on bad tags. It costs more... no doubt about it. But you need to ask yourself, are the stability and flexibility worth the extra bucks or not. If so, you know how to fix it. Kind regards, Jeremy
Has anyone heard of this problem? We are using a hosting company - CF 4.5. How do I respond to this? Is this real and if so, are there any fixes? It won't be easy for us/me to switch companies. Thanks, Joe Kelly [EMAIL PROTECTED] Sent: Friday, September 14, 2001 11:18 AM Subject: RE: ColdFusion tags turned off! > I actually cannot. This is a HUGE security hole. One of our customer > showed us how do delete files from the winnt/system32 directory using > these tags turned on. > > Ric. > > Subject: ColdFusion tags turned off! > > Ric, > > Can you enable the all the tags in the Basic Security section of the > ColdFusion Administrator for our box. Apparently, they got turned off, > disabling some of our applications. > > <<...>> Enable CFCONTENT tag > <<...>> Enable CFDIRECTORY tag > <<...>> Enable CFFILE tag > <<...>> Enable CFOBJECT tag > <<...>> Enable CFREGISTRY tag > I am most concerned about CFFILE. > > Thank You, > Joe Kelly > Director of Web Site Development Services > > > > ------------------------------------------------------------------------- This email server is running an evaluation copy of the MailShield anti- spam software. Please contact your email administrator if you have any questions about this message. MailShield product info: www.mailshield.com ----------------------------------------------- To post, send email to [EMAIL PROTECTED] To subscribe / unsubscribe: http://www.dfwcfug.org
