CFIF: When You Say 'No', Do You Really Mean 'Yes'?

ColdFusion 4.5/5/MX may evaluate "0a" or "12a" to be a time equating to 0 ( 12:00 AM ) when you're not expecting it to do so. The following outputs "YES YES":

[CFIF "0" eq "0a"> YES [CFELSE> NO [/CFIF>


[CFIF "0" eq "12a"> YES [CFELSE> NO [/CFIF>

Security Patch Available for ColdFusion MX Sandbox Security









Just released, this Security Bulletin and patch on the usage of Java objects in a security sandbox, a subject that has been fervently discussed on various lists and forums.




ColdFusion MX Security Bulletin MPSB04-01


"ColdFusion MX 6.1 sandbox security can be compromised by creating Java objects without using CreateObject() or CFOBJECT even if these features are disabled. The sandbox cannot be compromised externally, but programmers operating in a shared, hosted environment could be vulnerable."