I deeply agree but, as we know, not everything is perfect... I saw people running Professional versions with basic security (disabling all tags) and offering it as a shared ColdFusion hosting solution...!! ColdFusion is relative "new" here in Brazil. We're more inclined to ASP/PHP and even Perl than ColdFusion... I can say that CF is only 5-10% of the server-side market here. This porcentage is increasing significantly now... But you still see poor server administrators (a lot, in other words).
Just an example: http://www.localweb.com.br/opcoes/coldfusion.asp One of the biggest share hosting providers here (with more than a 100k hosting accounts). It states: the following tags are not available... (which means they use basic security - i've tested myself)... They are actually good and secure with ASP and stuff, but I can't say the same with CF... By the way: HostMySite is a great place! I'm using CFMX hosting from you and it's very good! []'s Alex > ---------- Mensagem original ----------- > > De : "Neil H." <[EMAIL PROTECTED]> > Para : CF-Talk <[EMAIL PROTECTED]> > Cc : > Data : Sun, 21 Jul 2002 20:06:49 -0400 > Assunto : Re: CFHTTP, security hole? > > Anyone not running advanced security on CFMX in a hosting environmen t isn't > bright. They couldn't have made it any easer. At www.HostMySite.co m we run > advanced and it works very well. > > Neil > ----- Original Message ----- > From: "Alex Hubner" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Sunday, July 21, 2002 4:13 PM > Subject: Re: CFHTTP, security hole? > > > > Yea, I've read about this problem with CFPOP somewhere... Spooky! > > > > Anyway, is more than clear that now CFMX is the choice for hosting > > providers. > > > > Thanks! > > Alex > > > > > > > ---------- Mensagem original ----------- > > > > > > De : Jochem van Dieten <[EMAIL PROTECTED]> > > > Para : CF-Talk <[EMAIL PROTECTED]> > > > Cc : > > > Data : Sun, 21 Jul 2002 20:00:17 +0200 > > > Assunto : Re: CFHTTP, security hole? > > > > > > Alex Hubner wrote: > > > > > > > > Pull_action.cfm (on my remote server): > > > > _________ > > > > <CFHTTP METHOD="get" > > > > URL="http://www.source_server.com.br/anyfolder/#url.anyfile#"; > > > > PATH="d:\anyfolder" FILE="#url.anyfileToSave#"> > > > > > > > > Well, as you can see this code "uploads" the 'anyfile' file to the > > > > > > D:\anyfolder in the remote server. As many shared hosts, using bas > > ic > > > > security, allow CFHTTP operations but disallow CFFILE operatio ns ( > > for > > > > security reasons) this can be a security problem since I can r epla > > ce > > > > any file, including those under C:\winnt\system32 and also und er > > > > other website folder... This can be considered a security prob lem? > > As > > > > far as I can see there's a LOT of shared hosts companies using CF > > > > Basic Security (disabling all tags)... CFHTTP cannot be disabl ed i > > n > > > > this scenario. Advanced Security solves it? > > > > > > cfhttp and cfpop (automatic retrieval of attachments and overwri ting > > of > > > existing files) have this problem. In CF 5 this can be resolved usin > > g > > > Sandboxes if you have Enterprise edition, not using just Advance d Se > > curity. > > > In CF MX you should be able to resolve this using Sandbox Securi ty a > > s > > > well, but I haven't finished testing it so I do not speak from e xper > > ience. > > > http://livedocs.macromedia.com/cfmxdocs/Administering_ColdFusion _MX/ > > Security3.jsp > > > > > > Jochem > > > > > > > > > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
