Clarke, in addition to the good stuff Shawn shared [and btw, Shawn, I'd enjoy seeing that code :-)], I'll note that at least as far as the point he made:
> So the hoster is left with a hard choice: disable CFEXECUTE, CFOBJECT, > CreateObject(.NET), CreateObject(COM) and CreateObject(JAVA) or accept > that > there is no security whatsoever in the shared hosting configuration. If > you > disable these tags a lot of applications and frameworks won't work > anymore. > For instance Transfer ORM needs Java access, so any application build > on top > of it will not work in a secured shared hosting environment. It's worth noting that in CF8, the CF admin security changed to allow one to disable the internal CF java objects while not disabling ALL java objects. That's a huge improvement that has seemed to have gone under the radar. Still, some may want to still lock down Java objects for other reasons, I realize. But yes, sandboxes are one way to control how those limitations are applied (per app) and then specifically indicating what those apps are allowed to access (even with such Java objects). It's all cool stuff. For anyone interested, I'll note a couple of articles I did in the CF6 timeframe about Sandbox Security (or Resource Security, as its known if you're on CF Standard). Other than that point above, it's pretty much unchanged since then The first part is here: http://www.carehart.org/articles/#2002_11 Hope that's helpful. /charlie > -----Original Message----- > From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Clarke > Bishop > Sent: Friday, July 10, 2009 10:45 AM > To: discussion@acfug.org > Subject: [ACFUG Discuss] cfexecute, shared hosting, and security > > I realize that all developers have a role in application security > (cfqueryparam, etc.). So, there definitely are things I have to pay > attention to in building an application. > > But for server-level administration and security issues, I would > personally > like to stay away as much as I can! > > While debugging my database connection problem the other day, I > discovered > that the host has cfexecute enabled. It is CF Enterprise, but I don't > know > if sandbox security really helps this problem. Please let me know your > ideas > for how serious a problem this is. I wish there was an independent > group > that evaluated and certified hosting providers -- It's really hard to > know > who's good and who's not! > > --------- > > I found this on the web at > http://jochem.vandieten.net/2008/12/09/cf-shared-hosting-security-java- > cfexe > cute-com-net-and-java-again/ > > So the hoster is left with a hard choice: disable CFEXECUTE, CFOBJECT, > CreateObject(.NET), CreateObject(COM) and CreateObject(JAVA) or accept > that > there is no security whatsoever in the shared hosting configuration. If > you > disable these tags a lot of applications and frameworks won't work > anymore. > For instance Transfer ORM needs Java access, so any application build > on top > of it will not work in a secured shared hosting environment. > > --------- > > My application is the front end to a shopping cart (like a product > configurator). The actual transaction with credit card information > happens > on a totally different server. The data I'm actually keeping wouldn't > be > very interesting for a hacker. > > My philosophy on security is that it's all about striking the right > balance. > You can lock things down so tightly that using the system becomes > difficult > and expensive. Or, you can be too open. I'm having a hard time figuring > out > the right balance. > > Thanks for your comments! > > Clarke > > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
