Looking for a shared host that doesn't block cfobject
Good Morning. I am looking for a shared host that doesn't block CreateObject(Java). Any ideas? Also, what's the risk on this? And is there any way to mitigate that risk? (either by the host or by me) Thanks. RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346754 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Looking for a shared host that doesn't block cfobject
Hi, we do not block cfobject, it is less of an issue in CF9 than previous versions, it is CreateObject(java) that is more of an issue. I'm afraid it is a toss up, you go with a host that disables all the dangerous tags and work around it, safe in the knowledge that no-one else on the server can do anything dodgy either, or you go with a host that allows dangerous tags and take the risk. Any host should at least be using security sandboxes to lock down any takes that allow I/O access, if they have just turned them on and have not sand boxed, then they are extremely insecure and you should avoid them. -- Russ Michaels www.cfmxhosting.co.uk: ColdFusion Hosting www.cfmldeveloper.com: ColdFusion developer community + free developer hosting www.michaels.me.uk : my blog www.cfsearch.com : ColdFusion search engine ** *skype me* : russmichaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346755 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Looking for a shared host that doesn't block cfobject
Russ, thanks for the reply. Does proper sandboxing and cf9 alleviate the risks enough to be reasonably safe? If not, what are the risks? On Mon, Aug 15, 2011 at 8:38 AM, Russ Michaels r...@michaels.me.uk wrote: Hi, we do not block cfobject, it is less of an issue in CF9 than previous versions, it is CreateObject(java) that is more of an issue. I'm afraid it is a toss up, you go with a host that disables all the dangerous tags and work around it, safe in the knowledge that no-one else on the server can do anything dodgy either, or you go with a host that allows dangerous tags and take the risk. Any host should at least be using security sandboxes to lock down any takes that allow I/O access, if they have just turned them on and have not sand boxed, then they are extremely insecure and you should avoid them. -- Russ Michaels www.cfmxhosting.co.uk: ColdFusion Hosting www.cfmldeveloper.com: ColdFusion developer community + free developer hosting www.michaels.me.uk : my blog www.cfsearch.com : ColdFusion search engine ** *skype me* : russmichaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346756 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Looking for a shared host that doesn't block cfobject
The risks are that CFOBJECT and CreateObject allow Java classes/methods to be called directly, which can circumvent sandbox security. from that I think you can determine for yourself what the risks are. To date we have never had anything malicious happen, the only main problems are when people use 3rd party code that they have no idea what it does. CF9 has the ability to disable access to the CF runtime, which helps a lot with most common issues. On Mon, Aug 15, 2011 at 2:21 PM, Robert Rhodes rrhode...@gmail.com wrote: Russ, thanks for the reply. Does proper sandboxing and cf9 alleviate the risks enough to be reasonably safe? If not, what are the risks? On Mon, Aug 15, 2011 at 8:38 AM, Russ Michaels r...@michaels.me.uk wrote: Hi, we do not block cfobject, it is less of an issue in CF9 than previous versions, it is CreateObject(java) that is more of an issue. I'm afraid it is a toss up, you go with a host that disables all the dangerous tags and work around it, safe in the knowledge that no-one else on the server can do anything dodgy either, or you go with a host that allows dangerous tags and take the risk. Any host should at least be using security sandboxes to lock down any takes that allow I/O access, if they have just turned them on and have not sand boxed, then they are extremely insecure and you should avoid them. -- Russ Michaels www.cfmxhosting.co.uk: ColdFusion Hosting www.cfmldeveloper.com: ColdFusion developer community + free developer hosting www.michaels.me.uk : my blog www.cfsearch.com : ColdFusion search engine ** *skype me* : russmichaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346757 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
