So was I - as long as I know the application name, a CFAPPLICATION tag anywhere on the machine can make any CF code part of your application. There is no folder restriction on this and no way to prevent it.
On 9/22/07, Brian Kotek <[EMAIL PROTECTED]> wrote: > I was talking about in CF code. Of course if the instance of CF isn't > secured or is older then you can get at absolutely anything with the > underlying Java objects. Basically, don't host anything sensitive on an > unsecured, shared server. I assumed this was a well known rule, but maybe I > was wrong. > > On 9/22/07, James Holmes <[EMAIL PROTECTED]> wrote: > > > > Sorry, that's just completely wrong. > > > > Any page, anywhere on the server, can use your Application name and > > get your Application scope variables; this can't even be prevented > > with sandboxing. If I have access to createObject("java") (which can > > be sandboxed out), I can even use the service factory to get your > > application name (and the app names for everyone else) and get > > everything in your application (and for that matter your sessions > > too). > > > > In fact I have a session tracker for monitoring purposes on our > > servers that relies on this ability. > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289204 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4