The risks are that CFOBJECT and CreateObject allow Java classes/methods to be called directly, which can circumvent sandbox security. from that I think you can determine for yourself what the risks are. To date we have never had anything malicious happen, the only main problems are when people use 3rd party code that they have no idea what it does. CF9 has the ability to disable access to the CF runtime, which helps a lot with most common issues.
On Mon, Aug 15, 2011 at 2:21 PM, Robert Rhodes <rrhode...@gmail.com> wrote: > > Russ, thanks for the reply. Does proper sandboxing and cf9 alleviate the > risks enough to be reasonably safe? If not, what are the risks? > > On Mon, Aug 15, 2011 at 8:38 AM, Russ Michaels <r...@michaels.me.uk> > wrote: > > > > > Hi, > > > > we do not block cfobject, it is less of an issue in CF9 than previous > > versions, it is CreateObject(java) that is more of an issue. > > I'm afraid it is a toss up, you go with a host that disables all the > > dangerous tags and work around it, safe in the knowledge that no-one else > > on > > the server can do anything dodgy either, or you go with a host that > allows > > dangerous tags and take the risk. > > Any host should at least be using security sandboxes to lock down any > takes > > that allow I/O access, if they have just turned them on and have not sand > > boxed, then they are extremely insecure and you should avoid them. > > > > > > -- > > > > Russ Michaels > > > > www.cfmxhosting.co.uk : ColdFusion Hosting > > www.cfmldeveloper.com : ColdFusion developer community + free > > developer hosting > > > > www.michaels.me.uk : my blog > > www.cfsearch.com : ColdFusion search engine > > ** > > *skype me* : russmichaels > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346757 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
