> So ... a client wants to know just how risky it is to temporarily > allow java.security.AllPermission ?
Why do they want to allow it? That might give you some insight into what bad things could happen as a result. > Yes, CF runs under Local System. So CF has full system access. That's > the danger from the applications on the server. What about an external > attack -- what could be done, specifically? That really depends on what the applications do, and how well they're written. An attacker can run those applications, and potentially manipulate the inputs to those applications in a way that makes them behave differently than you want them to. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352674 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
