OK, I'm scared now...
I made a file out of this (removing the refresh) and ran it on a shared hosting service and guess what!?! I can see all the application variables and session variables, and presumably with a bit of research I can change whatever I like?
Is there a way that this kind of functionality can be turned off without crippling the whole Java Extensibility feature of CFMX? I'd like to able to go to my ISP and give them a solution when I let them know about the vulnerability.
From MM's point of view I assume the solution is to only host your sites with ISPs who use CFMX Enterprise. I'm sure that would put many small ISPs out of the CFMX market so this 'solution' just wont fly...
Brett B)
Elliot Russo wrote:
no probs with underlying java classes...from some code of mine that resets values on all applications and sessions on the server. should show enogh to get you what you want
Elliot
<cffunction name="markApplicationsForRefresh" returntype="void"> <cfargument name="bRefreshSessions" type="boolean" default="false">
<cfset var appTracker = createObject("java", "coldfusion.runtime.ApplicationScopeTracker")> <cfset var appNames = appTracker.getApplicationKeys()>
<cfset var sessTracker = createObject("java", "coldfusion.runtime.SessionTracker")>
<cfset var appName = ""> <cfset var app = ""> <cfset var sessions = ""> <cfset var sessName = "">
<cfloop condition="#appNames.hasMoreElements()#">
<cfset appName = appNames.nextElement()> <cfset app = appTracker.getApplicationScope(appName)> <div><strong>#appName#</strong> <cfif bRefreshSessions> and its sessions</cfif> marked for rebuild next request</div> <cfif structKeyExists(app, "EnvironmentManager")> <cfset app.bRefresh = true> </cfif>
<cfif bRefreshSessions> <cfset sessions = sessTracker.getSessionCollection(appName)> <cfloop item="sessName" collection="#sessions#"> <cfset sessions[sessName].bRefresh = true> </cfloop> </cfif>
</cfloop>
</cffunction>
"M@ Bourke" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Hi all If I have 2 sites (directorys) on the 1 server Blah.com/blip Blah.com/blop
Is there anyway I could access the application vars in "blip" from "blop"
Note: both have there own application.cfm.
--- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/
-- Brett Payne-Rhodes Eaglehawk Computing t: +61 (0)8 9371-0471 f: +61 (0)8 9371-0470 m: +61 (0)414 371 047 e: [EMAIL PROTECTED] w: www.ehc.net.au
--- You are currently subscribed to cfaussie as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/
