Results 1 to 2 of 2

Thread: Possible security issue with ColdFusion sever side sample code

  1. #1
    Sencha User
    Join Date
    Mar 2010
    Vote Rating

    Exclamation Possible security issue with ColdFusion sever side sample code

    I am new to Exts Direct functionality and was looking over the server side code for ColdFusion that is available with Ext 3.3 download. I may be misunderstanding the sample code but it looks like it contains a security issue that could expose private information and allow data to be altered in unintended ways, all without authentication.

    It looks like the Router.cfm file will call any component and method specified by the client and return the result. This looks like a security issue as methods that were not remotely accessible before, now are.

    ColdFusion remotely accessible methods have an access attribute that needs to be set to remote to run. However, because they are now called by Router.cfm and Direct.cfc, this built in security mechanism is neutered.

    It might be wise to consider checking the access attribute of the components method before allowing a method be called.

  2. #2
    Sencha User aconran's Avatar
    Join Date
    Mar 2007
    Vote Rating


    remento - Thanks for the concern, the latest version checks simply to see if the ExtDirect attribute is set to true or yes.
    Aaron Conran

Similar Threads

  1. Replies: 34
    Last Post: 20 Aug 2014, 11:49 AM
  2. DirectCFM: A ColdFusion Server-side Stack
    By aconran in forum Ext.Direct
    Replies: 36
    Last Post: 1 Mar 2014, 9:46 AM
  3. Where can I find desktop sample code
    By jgpandit in forum Ext GWT: Discussion
    Replies: 0
    Last Post: 16 Jul 2009, 6:15 PM
  4. Code Security
    By tBSTAR in forum Community Discussion
    Replies: 5
    Last Post: 4 Jul 2008, 7:03 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts