Adobe
Sign in Privacy My Adobe

ColdFusion MX: Webservices not protected by Sandbox Security

Adobe Community Help


Products Affected

Contact support

Issue

ColdFusion MX sandbox security allows you to secure code within a sandbox. CFML code can only be viewed or executed by other code within the same sandbox. However, sandboxing does not affect webservice calls to ColdFusion Components (CFCs).

Recently, issue 61892 was resolved where CFML templates outside a sandbox could call CFCs within a sandbox. This problem is resolved in ColdFusion MX 7.0.2. There is also a hot fix available for the same issue on ColdFusion MX 7.0.1.

However, since sandboxing will not protect CFC webservices, specific steps must be taken to secure CFCs used as webservices.

Reason

Webservices are accessed using simple HTTP calls. Protecting webservices using file protection or sandboxes is of limited value since you are allowing outside HTTP access to the same code.

Solution

Access to webservice CFCs must be limited using webserver features that limit access. Incorporate authentication into your methods to restrict unwanted access to the webservice.

Also, cffunction access level "remote" should only be used if a component is expected to be used as a webservice.cffunction access levels "public", "package" or "private" should always be used if the CFC is not to be accessed as a webservice.

Additional Information

ColdFusion MX 7.0.1: Sandbox Security for ColdFusion Components (TechNote 94491491)

Keywords: 6edebba6

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy

Products

Download

Support & Learning

Buy

Company

Choose your region

Copyright © 2013 Adobe Systems Incorporated. All rights reserved.

Terms of Use | Privacy | Cookies

Reviewed by TRUSTe: site privacy statement