Undocumented Tags And Functions - MACROMEDIA COLDFUSION 4.5-ADMINISTRING COLDFUSION SERVER Manual

Chapter 10: Configuring Advanced Security

Undocumented Tags and Functions

The ColdFusion Administrator makes use of several tags and functions not currently
documented in the CFML Language Reference. In the context of the ColdFusion
Administrator, access to the functionality provided by these undocumented tags and
functions is restricted to people with administrative privileges. While these tags and
functions are currently unsupported, ColdFusion developers who have permission to
create Web applications and executable ColdFusion templates on a ColdFusion server
can make use of these functions and tags in their Web applications to perform certain
administrative tasks. The availability of illegal de-encoding utilities that can de-encode
the ColdFusion Administrator has made knowledge of the undocumented tags and
functions more widely known.
The availability of the undocumented tags potentially gives developers who have
permission to place applications on a ColdFusion server the ability to gain
unauthorized access to registry, database, and Advanced Security settings. In most
cases, this does not pose a security risk because the developers who have access to a
server are trusted. However, in a hosted-application environment, such as an ISP or a
corporate data center that is hosting multiple independent developer's applications
on a single server, the availability of the undocumented tags used in the ColdFusion
Administrator makes it more difficult to prevent malicious actions by developers who
may be using the hosting server. Currently, you can block one of the two
undocumented tags, CFSECURITYADMIN, on the Basic security page of the
ColdFusion Administrator. While no ColdFusion functions can be disabled with Basic
security, you can protect all the undocumented functions with a security sandbox.
317