RE: Cold Fusion tags turned off!

Mon, 17 Sep 2001 14:02:27 -0700 

They could also look at implementing the "sand box" security offered by
ColdFusion.  That way you can have cffile running for selected customers.
That is what the "sand box" security scheme is designed for.  With "sand
box" security implemented, you can only get at the directories you have
access to.  Therefore, you could not "destroy" files in directories where
you have not been given "authorized" access.

Dave Cahall
Vice President, Professional Services
Digitaris Technologies, Inc.
Office: 972.690.4131 ext 116
Mobil: 214.914.9947


-----Original Message-----
From: Jeremy Ridout [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 17, 2001 7:57 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Cold Fusion tags turned off!


It's only a security hole depending on how you look at it. From an ISP point
of view, using a shared server with other sites, yes, this is a problem,
however, from a developer point of view, sometimes, using cfcontent or
cffile is quite necessary. If I were an ISP, hosting a shared server, they'd
be off too.

Unfortunately, you're running into one of the problems of using an ISP and
sitting on a shared box. Yes, it is cheaper to share a CF machine with other
ISP customers, however, as you're finding out, you ending paying in the long
run because you typically do not have the control over the box that you
need. (Not to mention the case of another customer on the same box running
some code with an infinite loop and BAM! the server is kaput).

You pretty much have two options (short of serving your pages in-house):  1)
Collocate your own machine with an ISP. You and only you have control of the
machine. 2) Work a deal with the ISP to give you a single machine, no shared
customers, that they would allow you to turn back on the risky tags. Again,
no shared customers is safe, no bad or malicious code to slow or destroy the
server, and the ISP will feel safe about turning on bad tags.

It costs more... no doubt about it. But you need to ask yourself, are the
stability and flexibility worth the extra bucks or not. If so, you know how
to fix it.

Kind regards,

Jeremy


-------------------------------------------------------------------------
This email server is running an evaluation copy of the MailShield anti-
spam software. Please contact your email administrator if you have any
questions about this message. MailShield product info: www.mailshield.com

-----------------------------------------------
To post, send email to [EMAIL PROTECTED]
To subscribe / unsubscribe: http://www.dfwcfug.org

Reply via email to