Matt Liotta wrote:
> Whether cfobject is enabled or not doesn't affect the insecurity of a
> CFMX installation for shared hosting. For example...
>
> <cfscript>
> badThing = CreateObject("java", "a.BadThing");
> // is the same as...
> foo = "";
> clazz = foo.getClass();
> clazz = clazz.forName("a.badThing");
> badThing = clazz.newInstance();
> </cfscript>
But that stills run in the Sandbox, because CF MX leverages the
security built in to Java. So that means that all restrictions on
the filesystem and ports still apply.
What I am wondering is whether you can use this mechanism to
either invoke a COM object or to access the runtime service or
the security service. And if you can invoke COM objects, whether
you still can after all JIntegra files have been removed.
Jochem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/lists.cfm?link=t:4
Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community.
http://www.fusionauthority.com/ads.cfm
