11 Nov 2010 7:04 AM #1
Possible security issue with ColdFusion sever side sample code
I am new to Ext’s Direct functionality and was looking over the server side code for ColdFusion that is available with Ext 3.3 download. I may be misunderstanding the sample code but it looks like it contains a security issue that could expose private information and allow data to be altered in unintended ways, all without authentication.
It looks like the Router.cfm file will call any component and method specified by the client and return the result. This looks like a security issue as methods that were not remotely accessible before, now are.
ColdFusion remotely accessible methods have an “access” attribute that needs to be set to “remote” to run. However, because they are now called by Router.cfm and Direct.cfc, this built in security mechanism is neutered.
It might be wise to consider checking the access attribute of the components method before allowing a method be called.
12 Nov 2010 2:34 PM #2
remento - Thanks for the concern, the latest version checks simply to see if the ExtDirect attribute is set to true or yes.
By jimmifett in forum Ext.DirectReplies: 34Last Post: 20 Aug 2014, 11:49 AM
By aconran in forum Ext.DirectReplies: 36Last Post: 1 Mar 2014, 9:46 AM
By jgpandit in forum Ext GWT: DiscussionReplies: 0Last Post: 16 Jul 2009, 6:15 PM
By tBSTAR in forum Community DiscussionReplies: 5Last Post: 4 Jul 2008, 7:03 PM