My site is down also on DailyRazor. Mine doesn't even use createobject(), I use cfinvoke which is pretty much the same thing I guess.

Of course this happens immediately after I paid for 3 months of hosting.

So here is their reply:

"recently, we found few security critical tags and functions are still enabled on your server. They are disabled now, please check the list, and rewrite your application accordingly:

CF tags:
CFCOLLECTION
CFCONTENT
CFEXECUTE
CFLOG
CFOBJECT
CFOBJECTCACHE
CFREGISTRY

CF functions:
SetProfileString
CreateObject(COM)
CreateObject(CORBA)
CreateObject(JAVA)

CreateObject and CreateObject (webservice) are still enabled.

We apologize for the inconvenience caused by this change, but there is no way to have it reverted back on shared hostings.
Also, this change has not been announced, because it was enough urgent, and there are not so much customers who uses restricted tags. We are sorry for the fact not to update you, but as there are around 5-7 customers affected (from our previous experience), that is better not to announce it server wide and bother the rest."

So apparently createObject() is not blocked (but cfobject is??) - and blocking cfcontent and setProfileString (which is probably what is breaking blogcfc)???

5-7 customers?? I find it hard to believe that only 5-7 customers are using one or more of the tags/functions above!!

So all of the sudden my (and Luis') sites are back up....but for how long?

(Guess they didn't like my emails -or Ray's post here)

I have a clients site hosted on daily razor! in which I highly don't recommend, but my guest book in which I use createObject(), seems to be working fine. (9am 10/03) Although Im instantiating a CFC...

cheers

Just say no to shared hosting and yes to Virtual Private Server (VPS) hosting.

I have been hosted with HostingAtoZ.com for a while and do enable createObject tag. I have not see an noticable issues with the host as yet :)

I also host at HostingAtoZ, but they originally had CreateObject, cfinvoke etc disabled. Till I complained about it, I am not just trying to get them to switch profilesetting tags function on.

Yes by default they disable a few tags and functions. And as they have mentioned in their knowledge base you have to mail them to create a sandbox for your site which is free. This will enabled all the restricted tags and functions.

First, off all we would like to apologize for the inconvenience caused from our end. However, as you will see from the explanation below, what we did was a best choice we had at that moment.

On top of that , please keep in mind, that our number one goal is the satsfaction of our custmers, while we donot want to have customers dissatisfied or frustrated, under no circumstances things got out of our control.

To closely observe the issue itself. Dailyrazor doesnot offer these tags . Infact we already have listed in our FAQ the list of tags and functions that are disabled.
Recently, we found that we could safely enable two functions (createobject and createobject(webservice)). However, we realized, that a few servers had these tags/functions in restricted list, thr guy who set up the servers, forgot to enable sandbox security, and because of that restrictions were not in effect.

We assumed that there were around 50-80 real coders but later on we counted 70, 26 with cfcontent, 18 with setprofilestring, and 16 with createobject(java)) who may affect restricted tags on all servers, and decided to put restrictions back to effect without notifications.

Main reasons were:

1) every of tags/functions disabled allows to get full access to the server (few of them may lead to the same result).
2) there is a small difference between major functionality changes, and security changes that may affect functionality (70 customers off the 1300 were affected servers).
we all announce the First. Because things was out off control the Second ones were announced whenever it was possible.
3) we figured we would not be able to find out owners of apps with restricted tags within a reasonable time.
4) notifying all customers on the servers is probably a bad idea, not because of 'security through obscurity', but because it may announce them possibility to take malicious actions before could be disabled.

Our staff were planning to announce it later, after the change, however decided not to do so and only answer to those who complain or ask. (bad idea as I can see now),

we apologise for the inconvinience, we have never intended to niehter disappoint nor dissatisfy our custmoers. However we had no option but to ahead an disable incause of that some custmer might find out that their web-site is down without any announcement from our end

We got back 15 (14 with 2 tickets about the same issue)complaints - 1 canceled and 8 of the complaints got fixed as result. The rest of tickets belongs to your community (we saw these customers in your blogs):

Todd Sharp
Steve Eller
Oscar Arevalo

And you. these four people stopped the our entire process, so we had no choice but to enable the tags back temporarily.

This suctemporay delay gave us a time to get a full list of customers affected by the change. Shortly we will be announcining to 70 customers who were affected.

Currently we are looking for a workaround for this issue please feel free to give as any ideas or stratgies you might think of that would help us in this All customers will be announced and have time to rewrite apps or transfer their sites to any other service.

List of workarounds:

---
1) cfcontent tag- can be simply replaced with a bit of additional coding and cfheader tag
2) createobject (java) function:

- used for get hostname. Needed only to provide developers the way to include machine specific config without rewriting main part of app. And can be simply rewritten to have server name predefined.
- used to do application internalization. There is an official
globalization manual from Macromedia - and all of such apps should be rewritten accordingly (in the fact, they should follow it from the scratch):

http://livedocs.adobe.com/c...

3) setprofilestring for blogCFC:

http://trond.ulseth.no/inde...

please post your opnion and comments here
http://forums.dailyrazor.com

---

Thanks
Support-MK,
DailyRazor Hosting Support

DailyRazor screwed up all my application that used cfcontent, SetProfileString and cfobject. I am trying to figure out how to convert binary image data from the database to JPEG. Also, AjaxCFC gives me random error alerts.
How many more DailyRazor victims do we have?

People at DailyRazor are keep saying cfcontent can be replaced with cfheader.
Can you replace following code using cfheader.

<cfquery name="viewImage" datasource="#dsn#">
SELECT picture as images FROM Person where personID = #val(url.ID)#
</cfquery>

<cfif len(viewImage.images) GT 0>
<cfcontent type="image/jpeg" variable="#viewImage.images#">
<cfelse>
<img src="/no-image-small.gif" border="0" >
</cfif>

------------------------------------------

I can do following but these way I will run our of desk space in weeks.
<cfset destination = "C:\Inetpub\vhosts\blah.com\httpdocs\">
<cfset imageFile = CreateUUID() & ".jpg">

<cffile action="write" file="#destination##imageFile#" output="#ToBinary(viewImage.images)#" addnewline="no" charset="utf-8" fixnewline="no">

<img src="/<cfoutput>#imageFile#</cfoutput>">

Found the solution. Thanks to my buddy Kenton Gray

<cfquery name="viewImage" datasource="#dsn#">
SELECT picture as images FROM Person where personID = #val(url.ID)#
</cfquery>

<cfset pic = viewImage.images>

<cfscript>
context = getPageContext();
context.setFlushOutput(false);
response = context.getResponse().getResponse();
out = response.getOutputStream();
response.setContentType("image/jpeg");
response.setContentLength(arrayLen(pic));
out.write(pic);
out.flush();
out.close();
</cfscript>

I am going to be looking at leaving DailyRazor. I guess a low price is too low.

They tried to bill me last week to renew. 6 months after this whole fiasco...