I was talking about in CF code. Of course if the instance of CF isn't
secured or is older then you can get at absolutely anything with the
underlying Java objects. Basically, don't host anything sensitive on an
unsecured, shared server. I assumed this was a well known rule, but maybe I
was wrong.
On 9/22/07, James Holmes <[EMAIL PROTECTED]> wrote:
>
> Sorry, that's just completely wrong.
>
> Any page, anywhere on the server, can use your Application name and
> get your Application scope variables; this can't even be prevented
> with sandboxing. If I have access to createObject("java") (which can
> be sandboxed out), I can even use the service factory to get your
> application name (and the app names for everyone else) and get
> everything in your application (and for that matter your sessions
> too).
>
> In fact I have a session tracker for monitoring purposes on our
> servers that relies on this ability.
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Enterprise web applications, build robust, secure
scalable apps today - Try it now ColdFusion Today
ColdFusion 8 beta - Build next generation apps
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289199
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
