Status/Resolution/Reason: Closed/Fixed/
Reporter/Name(from Bugbase): Sean Corfield / Sean Corfield (Sean Corfield)
Created: 06/25/2008
Components: Administrator, Administrator Console
Versions: 10.0
Failure Type: Unspecified
Found In Build/Fixed In Build: 0000 / 281563
Priority/Frequency: Normal / Unknown
Locale/System: English / Platforms All
Vote Count: 11
Problem:
Unnamed application scope gives access to a *lot* of information. Provide an option in CF Admin to prevent access to unnamed application scope.
Scenario:
Create an empty Application.cfc and then in index.cfm, place:
<cfdump var="#application#">
You get to see all sorts of things in the JEE web application context. Useful if you're doing hybrid apps but on a shared host, this provides access to all the named application data on that server, allowing you to browse other people's data, often including usernames and passwords, application structures (if they're using frameworks) and so on.
For security, it would be good to provide an option in CF Admin that allowed administrators, esp. on shared hosts, to disable references to application scope when no application name has been set (i.e., when application.applicationname is "").
Reported to me by a client and the issue comes up on mailing lists about once a year (followed by the usual outrage about how "insecure" CF is when really this is all about JEE web application architecture, IMO).
Marking it cosmetic but most people think it's more serious than that. However, there's no real workaround (apart from never using application scope on a shared host!).
Method:
Create an empty Application.cfc.
Create an index.cfm that dumps application scope.
Result:
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3035293
External Customer Info:
External Company:
External Customer Name: Sean Corfield
External Customer Email: 479B4EDC43F3A88B992016B6
External Test Config: 06/25/2008
Attachments:
Comments: