I am new to Ext’s Direct functionality and was looking over the server side code for ColdFusion that is available with Ext 3.3 download. I may be misunderstanding the sample code but it looks like it contains a security issue that could expose private information and allow data to be altered in unintended ways, all without authentication.

It looks like the Router.cfm file will call any component and method specified by the client and return the result. This looks like a security issue as methods that were not remotely accessible before, now are.

ColdFusion remotely accessible methods have an “access” attribute that needs to be set to “remote” to run. However, because they are now called by Router.cfm and Direct.cfc, this built in security mechanism is neutered.

It might be wise to consider checking the access attribute of the components method before allowing a method be called.