Matt Liotta wrote: > Whether cfobject is enabled or not doesn't affect the insecurity of a > CFMX installation for shared hosting. For example... > > <cfscript> > badThing = CreateObject("java", "a.BadThing"); > // is the same as... > foo = ""; > clazz = foo.getClass(); > clazz = clazz.forName("a.badThing"); > badThing = clazz.newInstance(); > </cfscript>
But that stills run in the Sandbox, because CF MX leverages the security built in to Java. So that means that all restrictions on the filesystem and ports still apply. What I am wondering is whether you can use this mechanism to either invoke a COM object or to access the runtime service or the security service. And if you can invoke COM objects, whether you still can after all JIntegra files have been removed. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm