this goes in the “doh” sever configuration department, If you had not already worked it out, the createObject function in ColdFusion does allow developers to create potentialy unsafe code as they can use it to create instances of the factory object that is use internally by the ColdFusion administrator.
The CFOBJECT tag and CreateObject functions should be secured in a shared or untrusted developer environment.
By default, the CFOBJECT tag and the CreateObject function are accessible to all ColdFusion developers. This tag and function should be secured in a shared or untrusted developer environment.
If you need to know more, check out the security bulletin http://www.macromedia.com/devnet/security/security_zone/mpsb04-10.html