> Although in this particular case the risk is pretty low, > depending upon what the cfc actually does, there seems to > be a security risk exposing your CFC's to be available to > anyone that can type a URL address in a browser. If others > don't agree, please explain. Thanks.
There's no more inherent security risk in exposing a CFC as a public URL than there is in exposing a CFM file. Both are programs that run on your web server. Both can receive inputs and generate output. Typically, people use CFCs to encapsulate business logic, and typically that business logic is intended for use from a presentation layer. However, that has nothing to do with whether CFCs are more vulnerable to attacks than any other script you put on your web server. If you've enabled RDS, and have disabled the use of an RDS password, someone can browse the self-generated CFC documentation, which may be an unintended leakage of information. Again, though, that's not really a problem with CFCs but rather a problem with inappropriate server configuration. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:218882 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
