Impossible to run ORM application in hosted environments.

Report · Mar 11, 2010

I just bought a fancy ColdFusion 9 hosting package from Hostek.

As most hosting providers, I assume, you don't get a dedicated server of course. Many hosting

companies are also using a web-based control panel for the domain. For example, Helm.

When you set up a ColdFusion DSN (or ODBC DSN), there's a warning that if you insert your SQL username and password, anyone can potentially access your DSN without a password. Yup, sounds logical. All they have to do is know the database name on the server they share.

No problem with cfquery. You can specify username and password.

With ORM, you can't. This makes me ditch all my current ORM plans and switch my application development back to old cfqueries.You cannot even define username and password in hibernate configuration files, since ColdFusion overrides the connection pool parameters.

Great... just great... am I wrong, or did Adobe really overlook such an huge issue?

-Fernis

Report · Mar 18, 2010

So these hosting providers do not sandbox their clients CF instances (either via CF's own mechanism or by deploying VMs)?

I would not use a hosting provider who runs their servers like that.

--

Adam

Report · Mar 18, 2010

That's a good question, actually.

What I'm relying on, is the warnings in their control panel software, about saying that customers on the same server could potentially access the database if I save the username and the password.

Yet, I have (manually, as there's an option for it) enabled sandboxing in my hosted ColdFusion, which for example, allowed me to use <cfinclude> which does not work without the sandboxing.

As I'm not too familiar with ColdFusion sandboxing, having worked most of my life with CF Professional editions, I might be actually protected, but I have to verify this from Hostek.com (my current provider).

Thanks for reminding me about this, I'll let you know about their educated guess, should they share that with me.

-Fernis

Report · Mar 18, 2010

Hostek.com's reply was:

"The ColdFusion Sandboxing doesn't make a difference for the DataSources. It'd be great if it did somehow.

We do encourage unique and hard to guess DataSource names. This is also a reason we have access to Java Objects disabled, otherwise it'd be easy to get a list of the DSN's."

That's a fail then. "But it was cheap", I tend to say whenever something breaks or falls short of requirements. *shrug*.

-Fernis

Report · Mar 31, 2010

Fernis

Re Hostek's "The ColdFusion Sandboxing doesn't make a difference for the DataSources. It'd be great if it did somehow."

What a sack of crap - CFAdmin | Security | Sandbox | Datasources - Datasource permissions for your sandbox. I work for a company in the UK who offers shared ColdFusion hosting and we only run Enterprise solely for the Sandboxing.

A couple of months ago I wrote a Visual Basic app used by the Sales guys (we set up our sites semi-manually to allow complete customisation for the customer) which interfaced directly with the AdminAPI to create a sandbox - in doing so I set it to allow only access to CFClientStore and their own DSN if they had one.

With a hosting company doing things properly there's no problem with storing the DSNs in the CFAdmin - as you say it's a necessity to do so for ORM. I put in a feature request for this when CF9 was in beta, but never heard anything back. I too find it extremely annoying that every time a question is asked about shared hosting Adobe's stock reply is to say that shared hosting requirements should run Multiserver mode. Minimum 400Mb of RAM and manual rolling out of WAR archives for every single site? I don't think so.

O.

Report · Mar 31, 2010

My guess is they're using Parallels Plesk for setting up the ColdFusion instances, as customers use Parallels Helm. - and I found an article stating Plesk does not support CF DSNs and Sandboxing (together, I suppose). That was an old article from 2007, but ..*shrug*

If I'm otherwise happy with Hostek, I might stay there regardless, but the next time I'll be sure to ask if DSNs will be sandboxed as well.

Thanks for the comments

-Fernis

Report · Apr 01, 2010

Pfft, these shonky hosting companies who don't even bother writing their own control panels from scratch, hey

Thing is I can't even blame the companies who just buy the Standard edition, it's a hell of a lot of money to shell out for a bit of software you're really not going to make massive business from.

O.