Interesting, wasn't aware of that.
Is there any way to guard against that kind of exploit, other than
encrypting everything in application and session scope, which would be very
inefficient and annoying?
Dave Merrill
> Hashing your app name isn't going to protect you from others on a
> shared server from looking in on you:
>
> <!--- application tracker object --->
> <cfset appObj =
> createObject("java","coldfusion.runtime.ApplicationScopeTracker")>
> <!--- get the enumeration of application keys --->
> <cfset apps = appObj.getApplicationKeys()>
> <!--- session tracker object --->
> <cfset tracker = createObject("java",
> "coldfusion.runtime.SessionTracker")>
> <!--- while there are more applications in the enumeration --->
> <cfloop condition="#apps.hasMoreElements()#">
> <!--- get the app name --->
> <cfset appname = apps.nextElement()>
> <!--- get the sessions for this app name --->
> <cfset sessions = tracker.getSessionCollection(appname)>
> <!--- dump the sessions out --->
> <cfdump var="#sessions#" label="#appname#">
> </cfloop>
>
> That code can be run by anyone on the server and you'll see the
> application name and the dump of ALL the sessions for that app.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble
Ticket application
http://www.houseoffusion.com/banners/view.cfm?bannerid=48
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:204107
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
