> I know all about CreateObject's security risks from a hosting perspective, > but I've never heard of an issue with CFCONTENT (I'm not doubting you, I'm > just curious what the issues are.)
It can be used to download any file that the CF service has permission to access, including sensitive Windows files (assuming you're on Windows). By default, on Windows the CF service runs as SYSTEM, which has practically unrestricted access to everything. Even if CF is configured to use a less-privileged user account (as it should be as a matter of course) that user account will certainly have permission to read any files used by, say, other hosting clients. My assumption is that CFCONTENT can be sandboxed, but again I'm no expert on sandboxing. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339021 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
