-
11 Nov 2010 7:04 AM #1Sencha User
- Join Date
- Mar 2010
- Posts
- 3
- Vote Rating
- 1
Possible security issue with ColdFusion sever side sample code
Possible security issue with ColdFusion sever side sample code
I am new to Ext’s Direct functionality and was looking over the server side code for ColdFusion that is available with Ext 3.3 download. I may be misunderstanding the sample code but it looks like it contains a security issue that could expose private information and allow data to be altered in unintended ways, all without authentication.
It looks like the Router.cfm file will call any component and method specified by the client and return the result. This looks like a security issue as methods that were not remotely accessible before, now are.
ColdFusion remotely accessible methods have an “access” attribute that needs to be set to “remote” to run. However, because they are now called by Router.cfm and Direct.cfc, this built in security mechanism is neutered.
It might be wise to consider checking the access attribute of the components method before allowing a method be called.
-
12 Nov 2010 2:34 PM #2Sencha - Architect Dev Team
- Join Date
- Mar 2007
- Posts
- 8,185
- Vote Rating
- 63
remento - Thanks for the concern, the latest version checks simply to see if the ExtDirect attribute is set to true or yes.
https://github.com/aconran/DirectCFMAaron Conran
@aconran
Sencha Architect Development Team
Reply With Quote
Similar Threads
-
DirectCFM: A ColdFusion Server-side Stack
By aconran in forum Ext.DirectReplies: 34Last Post: 11 Jul 2012, 3:33 PM -
ExtDirectCF: A Managed ColdFusion Server-side stack with security
By jimmifett in forum Ext.DirectReplies: 31Last Post: 27 May 2010, 1:47 AM -
Where can I find desktop sample code
By jgpandit in forum Ext GWT: DiscussionReplies: 0Last Post: 16 Jul 2009, 6:15 PM -
Code Security
By tBSTAR in forum Community DiscussionReplies: 5Last Post: 4 Jul 2008, 7:03 PM
