Knowledgebase
What CreateObject functions are disabled
Posted by zz-James Moir on 22 June 2016 09:35 AM

Issue

CreateObject is enabled but the following functions of CreateObject are disabled:

  • CreateObject(.NET)
  • CreateObject(COM)
  • CreateObject(CORBA)
  • CreateObject(Java)
  • CreateObject(WebService)

Reason

These particular CreateObject functions are disabled because they allow a user to break out of the sandbox security which is imposed by ColdFusion. This is possible because ColdFusion is a java application and you can access underlying API and classes with CreateObject (such as java.io.file) which is not protected by sandbox security.

For this reason, we won't enable these specific CreateObject functions for our shared ColdFusion plans. Enabling the above CreateObject functions would give customers the ability to read and write files from other customer's directories, make changes to the server settings and remove all the security that ColdFusion sandbox security would normally enforce.