ColdFusion security in a shared hosting environment can be a pain. Different hosts handle security in different ways, some disable certain tags / functions and use sandboxing. Other hosts do neither and allow users to access potentially security compromising functions such as createObject.

Something struck me after I tested a webservice that I had deployed on my host. The WSDL location would be listed under the web services section within the ColdFusion administrator. No big deal you may think and it usually isn’t if you’re on a shared host that forbids calls to the createObject function.

On a server that allows access to createObject, you can do something like the following. I omitted the code that gets the service details for CF7 as the getWebservice method takes far more parameters than its equivalent in CF 8.

CF 8:

<cfscript>
	serviceFactory = CreateObject("java", "coldfusion.server.ServiceFactory");
	webservices = serviceFactory.getXmlRpcService().getMappings();
</cfscript>

<cfdump var="#webservices#"><br/><br/>

<cfloop collection="#webservices#" item="key">
	<cfoutput><br/>#webservices[key]#<br/></cfoutput>
	<cfset map = structNew()/>
	<cfset map[key] = webservices[key]/>
	<cfdump var="#serviceFactory.getXmlRpcService().getWebservice(key, map)#">
</cfloop>

CF 7:

<cfscript>
	serviceFactory = CreateObject("java", "coldfusion.server.ServiceFactory");
	webservices = serviceFactory.getXmlRpcService().getMappings();
</cfscript>

<cfdump var="#webservices#"><br/><br/>

As you should see in the output, you can discover what services are registered with the CF administrator, the CF 8 example even outlines the method names, return type and required parameters. You could of course just browse to the service WSDL address and determine the same information, assuming of course the service is unsecured.

So, if you’re exposing any web services that return sensitive data on a shared host (which you shouldn’t be!), make sure they are secured appropriately!