So was I - as long as I know the application name, a CFAPPLICATION tag
anywhere on the machine can make any CF code part of your application.
There is no folder restriction on this and no way to prevent it.
On 9/22/07, Brian Kotek <[EMAIL PROTECTED]> wrote:
> I was talking about in CF code. Of course if the instance of CF isn't
> secured or is older then you can get at absolutely anything with the
> underlying Java objects. Basically, don't host anything sensitive on an
> unsecured, shared server. I assumed this was a well known rule, but maybe I
> was wrong.
>
> On 9/22/07, James Holmes <[EMAIL PROTECTED]> wrote:
> >
> > Sorry, that's just completely wrong.
> >
> > Any page, anywhere on the server, can use your Application name and
> > get your Application scope variables; this can't even be prevented
> > with sandboxing. If I have access to createObject("java") (which can
> > be sandboxed out), I can even use the service factory to get your
> > application name (and the app names for everyone else) and get
> > everything in your application (and for that matter your sessions
> > too).
> >
> > In fact I have a session tracker for monitoring purposes on our
> > servers that relies on this ability.
> >
> >
> >
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Download the latest ColdFusion 8 utilities including Report Builder,
plug-ins for Eclipse and Dreamweaver updates.
http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289204
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
