OK thanks Ian >On 1/24/2011 8:57 AM, Richard White wrote: > >Only if there is a place in your code for them to do so. If you have a >vulnerable piece of code that can give unexpected and undesired results >because of malicious inputs form the client, then you have a problem. > >But it is not an insecurity in the session variables is is an insecurity >in your application and how it is setting those variables. There is no >way for a user to send random code at a CF server and have it do >anything to session variables unless it is happening somewhere in the >CFML codebase.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341134 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm