Well when people build the CFC's they are build under the assumption that they will be called from code (unless you're building webservices). So if you create a cfc and assume all the error checking will be done before you call it, and if a user find out the name of the CFC, he can start calling the methods using webservices. Basically it's all about your assumptions. If you build the cfc in a secure manner where it does all it's own validation, and doesn't expose any methods, then you're fine, but I'm sure some inexperienced people can manage to create insecure cfc's which could be a security hole for their application.
Russ > -----Original Message----- > From: Munson, Jacob [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 08, 2006 3:51 PM > To: CF-Talk > Subject: RE: About CFC Path > > Yeah, I suppose you're right. But they'd have to know the name of the > CFC, what functions it contains, and you'd have to have built it in an > insecure manner. Well, I suppose they could call it directly and get > the cool CFC layout page...but when it comes to shared hosting, most > people don't have a choice anyway, so that's the risk you take, I guess. > Oh yeah, and if they do manage to guess a CFC name, what are they going > to do with it? It's not like they can write cfm files to your > directory...but I'd be curious to hear a scenario where someone could > hack your site after finding a CFC. > > I agree though, keeping the CFCs above web root if possible just seems > safer. > > > -----Original Message----- > > From: Russ [mailto:[EMAIL PROTECTED] > > Sent: Thursday, June 08, 2006 1:36 PM > > > > I think that if you don't have mappings in cf admin, it will > > have to be > > under the web root, which might be a security risk since now > > people can call > > your cfc's directly from the browser. We keep all our code > > above the web > > root, the only thing inside the web root is the main.cfm tempate and > > application.cfm. > > > > Russ > > > > > -----Original Message----- > > > From: Munson, Jacob [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, June 08, 2006 2:52 PM > > > To: CF-Talk > > > Subject: RE: About CFC Path > > > > > > That's the way I do it, yes. I'm not sure if it's required though. > > > > > > > -----Original Message----- > > > > From: Russ [mailto:[EMAIL PROTECTED] > > > > Sent: Thursday, June 08, 2006 11:10 AM > > > > > > > > In this case, wouldn't you need to keep the cfc's under web root? > > > > > > > > > -----Original Message----- > > > > > From: Munson, Jacob [mailto:[EMAIL PROTECTED] > > > > > Sent: Thursday, June 08, 2006 11:23 AM > > > > > > > > > > In my experience, you don't need a mapping that was > > created in the > > > > > CFAdmin to invoke a CFC. Something that used to > > confuse me is that > > > > > people use the term mapping liberally, and it doesn't > > > > always mean the > > > > > thingies in the CFAdmin. Often they are referring to the > > > > path that you > > > > > use to invoke the CFC, like > > > > coldfusion.clients.mycfcs.parseEmail. As > > > > > long as you do the 'dotted notation mapping' correctly, a > > > > shared hosting > > > > > environment should work fine. > > This transmission may contain information that is privileged, confidential > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this > transmission in error, please immediately contact the sender and destroy > the material in its entirety, whether in electronic or hard copy format. > Thank you. A1. > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:242989 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
