Ah, that does make sense. Thanks Dave! =]
On Tue, Nov 9, 2010 at 11:56 AM, Dave Watts <dwa...@figleaf.com> wrote: > > > I know all about CreateObject's security risks from a hosting > perspective, > > but I've never heard of an issue with CFCONTENT (I'm not doubting you, > I'm > > just curious what the issues are.) > > It can be used to download any file that the CF service has permission > to access, including sensitive Windows files (assuming you're on > Windows). By default, on Windows the CF service runs as SYSTEM, which > has practically unrestricted access to everything. Even if CF is > configured to use a less-privileged user account (as it should be as a > matter of course) that user account will certainly have permission to > read any files used by, say, other hosting clients. > > My assumption is that CFCONTENT can be sandboxed, but again I'm no > expert on sandboxing. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339022 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
