bwhahahahaha pray someones not dumb enough to cache credit card
details or sensitive ...oh my....you could get peoples login details
to apps on their hosted...oh my...
SECURITY....
Wonder if it works on CrystalTech
On Thu, 31 Mar 2005 13:47:59 +0800, Brett Payne-Rhodes <[EMAIL PROTECTED]>
wrote:
> OK, I'm scared now...
>
> I made a file out of this (removing the refresh) and ran it on a shared
> hosting service and guess what!?! I can see all the application
> variables and session variables, and presumably with a bit of research I
> can change whatever I like?
>
> Is there a way that this kind of functionality can be turned off without
> crippling the whole Java Extensibility feature of CFMX? I'd like to able
> to go to my ISP and give them a solution when I let them know about the
> vulnerability.
>
> From MM's point of view I assume the solution is to only host your
> sites with ISPs who use CFMX Enterprise. I'm sure that would put many
> small ISPs out of the CFMX market so this 'solution' just wont fly...
>
> Brett
> B)
>
>
> Elliot Russo wrote:
> > no probs with underlying java classes...from some code of mine that resets
> > values on all applications and sessions on the server. should show enogh to
> > get you what you want
> >
> > Elliot
> >
> > <cffunction name="markApplicationsForRefresh" returntype="void">
> > <cfargument name="bRefreshSessions" type="boolean" default="false">
> >
> > <cfset var appTracker = createObject("java",
> > "coldfusion.runtime.ApplicationScopeTracker")>
> > <cfset var appNames = appTracker.getApplicationKeys()>
> >
> > <cfset var sessTracker = createObject("java",
> > "coldfusion.runtime.SessionTracker")>
> >
> > <cfset var appName = "">
> > <cfset var app = "">
> > <cfset var sessions = "">
> > <cfset var sessName = "">
> >
> > <cfloop condition="#appNames.hasMoreElements()#">
> >
> > <cfset appName = appNames.nextElement()>
> > <cfset app = appTracker.getApplicationScope(appName)>
> > <div><strong>#appName#</strong> <cfif bRefreshSessions> and its
> > sessions</cfif> marked for rebuild next request</div>
> > <cfif structKeyExists(app, "EnvironmentManager")>
> > <cfset app.bRefresh = true>
> > </cfif>
> >
> > <cfif bRefreshSessions>
> > <cfset sessions = sessTracker.getSessionCollection(appName)>
> > <cfloop item="sessName" collection="#sessions#">
> > <cfset sessions[sessName].bRefresh = true>
> > </cfloop>
> > </cfif>
> >
> > </cfloop>
> >
> > </cffunction>
> >
> > "M@ Bourke" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]
> >
> >>Hi all
> >>If I have 2 sites (directorys) on the 1 server
> >>Blah.com/blip
> >>Blah.com/blop
> >>
> >>Is there anyway I could access the application vars in "blip" from "blop"
> >>
> >>Note: both have there own application.cfm.
> >>
> >>
> >
> >
> >
> >
> > ---
> > You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
> > To unsubscribe send a blank email to [EMAIL PROTECTED]
> > Aussie Macromedia Developers: http://lists.daemon.com.au/
> >
>
> --
> Brett Payne-Rhodes
> Eaglehawk Computing
> t: +61 (0)8 9371-0471
> f: +61 (0)8 9371-0470
> m: +61 (0)414 371 047
> e: [EMAIL PROTECTED]
> w: www.ehc.net.au
>
> ---
> You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
> To unsubscribe send a blank email to [EMAIL PROTECTED]
> Aussie Macromedia Developers: http://lists.daemon.com.au/
>
--
Regards,
Scott Barnes
http://www.mossyblog.com
http://www.flexcoder.com (Coming Soon)
---
You are currently subscribed to cfaussie as: [email protected]
To unsubscribe send a blank email to [EMAIL PROTECTED]
Aussie Macromedia Developers: http://lists.daemon.com.au/
