Dailyrazor hosted sites down

This post is more than 2 years old.

Well, not down, but my buddy Todd Sharp sent me an email saying that Dailyrazor decided to disable createObject() without warning their customers. His blog - and Luis Majano's site (ColdBox guy) are down - along with others I assume.

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Archived Comments

Comment 1 by Michael Brennan-White posted on 10/3/2007 at 4:39 PM

My site is down also on DailyRazor. Mine doesn't even use createobject(), I use cfinvoke which is pretty much the same thing I guess.

Of course this happens immediately after I paid for 3 months of hosting.

Comment 2 by todd sharp posted on 10/3/2007 at 4:56 PM

So here is their reply:

"recently, we found few security critical tags and functions are still enabled on your server. They are disabled now, please check the list, and rewrite your application accordingly:

CF tags:
CFCOLLECTION
CFCONTENT
CFEXECUTE
CFLOG
CFOBJECT
CFOBJECTCACHE
CFREGISTRY

CF functions:
SetProfileString
CreateObject(COM)
CreateObject(CORBA)
CreateObject(JAVA)

CreateObject and CreateObject (webservice) are still enabled.

We apologize for the inconvenience caused by this change, but there is no way to have it reverted back on shared hostings.
Also, this change has not been announced, because it was enough urgent, and there are not so much customers who uses restricted tags. We are sorry for the fact not to update you, but as there are around 5-7 customers affected (from our previous experience), that is better not to announce it server wide and bother the rest."

So apparently createObject() is not blocked (but cfobject is??) - and blocking cfcontent and setProfileString (which is probably what is breaking blogcfc)???

5-7 customers?? I find it hard to believe that only 5-7 customers are using one or more of the tags/functions above!!

Comment 3 by todd sharp posted on 10/3/2007 at 5:23 PM

So all of the sudden my (and Luis') sites are back up....but for how long?

(Guess they didn't like my emails -or Ray's post here)

Comment 4 by sal posted on 10/3/2007 at 7:01 PM

I have a clients site hosted on daily razor! in which I highly don't recommend, but my guest book in which I use createObject(), seems to be working fine. (9am 10/03) Although Im instantiating a CFC...

cheers

Comment 5 by Matt Williams posted on 10/3/2007 at 7:18 PM

Just say no to shared hosting and yes to Virtual Private Server (VPS) hosting.

Comment 6 by Sumedha posted on 10/3/2007 at 8:47 PM

I have been hosted with HostingAtoZ.com for a while and do enable createObject tag. I have not see an noticable issues with the host as yet :)

Comment 7 by Andrew Scott posted on 10/4/2007 at 5:51 AM

I also host at HostingAtoZ, but they originally had CreateObject, cfinvoke etc disabled. Till I complained about it, I am not just trying to get them to switch profilesetting tags function on.

Comment 8 by sumedha posted on 10/8/2007 at 12:25 PM

Yes by default they disable a few tags and functions. And as they have mentioned in their knowledge base you have to mail them to create a sandbox for your site which is free. This will enabled all the restricted tags and functions.

Comment 9 by Abiud Zerubabel posted on 10/13/2007 at 1:13 AM

First, off all we would like to apologize for the inconvenience caused from our end. However, as you will see from the explanation below, what we did was a best choice we had at that moment.

On top of that , please keep in mind, that our number one goal is the satsfaction of our custmers, while we donot want to have customers dissatisfied or frustrated, under no circumstances things got out of our control.

To closely observe the issue itself. Dailyrazor doesnot offer these tags . Infact we already have listed in our FAQ the list of tags and functions that are disabled.
Recently, we found that we could safely enable two functions (createobject and createobject(webservice)). However, we realized, that a few servers had these tags/functions in restricted list, thr guy who set up the servers, forgot to enable sandbox security, and because of that restrictions were not in effect.

We assumed that there were around 50-80 real coders but later on we counted 70, 26 with cfcontent, 18 with setprofilestring, and 16 with createobject(java)) who may affect restricted tags on all servers, and decided to put restrictions back to effect without notifications.

Main reasons were:

1) every of tags/functions disabled allows to get full access to the server (few of them may lead to the same result).
2) there is a small difference between major functionality changes, and security changes that may affect functionality (70 customers off the 1300 were affected servers).
we all announce the First. Because things was out off control the Second ones were announced whenever it was possible.
3) we figured we would not be able to find out owners of apps with restricted tags within a reasonable time.
4) notifying all customers on the servers is probably a bad idea, not because of 'security through obscurity', but because it may announce them possibility to take malicious actions before could be disabled.

Our staff were planning to announce it later, after the change, however decided not to do so and only answer to those who complain or ask. (bad idea as I can see now),

we apologise for the inconvinience, we have never intended to niehter disappoint nor dissatisfy our custmoers. However we had no option but to ahead an disable incause of that some custmer might find out that their web-site is down without any announcement from our end

We got back 15 (14 with 2 tickets about the same issue)complaints - 1 canceled and 8 of the complaints got fixed as result. The rest of tickets belongs to your community (we saw these customers in your blogs):

Todd Sharp
Steve Eller
Oscar Arevalo

And you. these four people stopped the our entire process, so we had no choice but to enable the tags back temporarily.

This suctemporay delay gave us a time to get a full list of customers affected by the change. Shortly we will be announcining to 70 customers who were affected.

Currently we are looking for a workaround for this issue please feel free to give as any ideas or stratgies you might think of that would help us in this All customers will be announced and have time to rewrite apps or transfer their sites to any other service.

List of workarounds:

---
1) cfcontent tag- can be simply replaced with a bit of additional coding and cfheader tag
2) createobject (java) function:

- used for get hostname. Needed only to provide developers the way to include machine specific config without rewriting main part of app. And can be simply rewritten to have server name predefined.
- used to do application internalization. There is an official
globalization manual from Macromedia - and all of such apps should be rewritten accordingly (in the fact, they should follow it from the scratch):

http://livedocs.adobe.com/c...

3) setprofilestring for blogCFC:

http://trond.ulseth.no/inde...

please post your opnion and comments here
http://forums.dailyrazor.com

---

Thanks
Support-MK,
DailyRazor Hosting Support

Comment 10 by imomin posted on 12/12/2007 at 9:57 AM

DailyRazor screwed up all my application that used cfcontent, SetProfileString and cfobject. I am trying to figure out how to convert binary image data from the database to JPEG. Also, AjaxCFC gives me random error alerts.
How many more DailyRazor victims do we have?

Comment 11 by imomin posted on 12/12/2007 at 10:18 AM

People at DailyRazor are keep saying cfcontent can be replaced with cfheader.
Can you replace following code using cfheader.

<cfquery name="viewImage" datasource="#dsn#">
SELECT picture as images FROM Person where personID = #val(url.ID)#
</cfquery>

<cfif len(viewImage.images) GT 0>
<cfcontent type="image/jpeg" variable="#viewImage.images#">
<cfelse>
<img src="/no-image-small.gif" border="0" >
</cfif>

------------------------------------------

I can do following but these way I will run our of desk space in weeks.
<cfset destination = "C:\Inetpub\vhosts\blah.com\httpdocs\">
<cfset imageFile = CreateUUID() & ".jpg">

<cffile action="write" file="#destination##imageFile#" output="#ToBinary(viewImage.images)#" addnewline="no" charset="utf-8" fixnewline="no">

<img src="/<cfoutput>#imageFile#</cfoutput>">

Comment 12 by imomin posted on 12/13/2007 at 4:05 AM

Found the solution. Thanks to my buddy Kenton Gray

<cfquery name="viewImage" datasource="#dsn#">
SELECT picture as images FROM Person where personID = #val(url.ID)#
</cfquery>

<cfset pic = viewImage.images>

<cfscript>
context = getPageContext();
context.setFlushOutput(false);
response = context.getResponse().getResponse();
out = response.getOutputStream();
response.setContentType("image/jpeg");
response.setContentLength(arrayLen(pic));
out.write(pic);
out.flush();
out.close();
</cfscript>

Comment 13 by Nathan Stanford posted on 4/7/2008 at 11:13 PM

I am going to be looking at leaving DailyRazor. I guess a low price is too low.

Comment 14 by todd sharp posted on 4/7/2008 at 11:26 PM

They tried to bill me last week to renew. 6 months after this whole fiasco...