> I thought I posted this the other day, but it didn't update for some reason. > Here it is again:
Never let it be said that HostMySite.com doesn't listen to it's customers. After much work we've been able to find a fix for the security issue that allows safe execution of JSP and CF. On our Linux servers, we actually run two J2EE environments - JRun and Resin. While JRun does handle the Java processing for ColdFusion, Resin handles the requests for JSP pages and servlets. Java implements a security policy system that can prevent access. We have implemented security managemetn in the Resin server to prevent JSP pages from being able to read arbitrary files on the server. We have restricted code from each customer's home directory to: 1) a lengthy list of files and directories that Java and Resin require internally 2) log files for the site and for Resin 3) that customer's home directory. If anyone has any questions about this or needs any further information, feel free to post or send me a question off-list. Thanks again for bringin this to our attention! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208506 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54