Whoa, pardner

AJAX is certainly one of the hot and trendy things happening on the web but it also seems rather dangerous. I've been reading a number of articles in the past few weeks about JavaScript Highjacking. Here's the most recent article to hit my mailbox, this from CIO Insight:

Fortify Software has documented what the security firm is calling a "pervasive and critical" vulnerability in Web 2.0 applications—specifically, in the ability of an attacker to use a JavaScript vulnerability to steal critical data by emulating unsuspecting users.

The vulnerability—which allows an exploit called JavaScript Hijacking—can be found in the biggest AJAX frameworks out there, including three server-integrated toolkits: Microsoft ASP.Net AJAX (aka Atlas), Google Web Toolkit and xajax—the last of which is an open-source PHP-class library implementation of AJAX.

Client-side libraries that Fortify inspected and found to be vulnerable are the Yahoo UI, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Rico and MochiKit.

<snip>

Brian Chess, Fortify Software's co-founder and Chief Scientist, told eWEEK that the security firm is getting a ho-hum reaction from some regarding the news, since JavaScript has never been considered to be safe anyway.

This, however, is the first type of JavaScript problem that Chess knows of that specifically targets AJAX-style and Web 2.0-style applications, he said.

Let's be careful out there, k?

Max. Rows in List to Register

In e-Series Events you can choose to allow a logged in user to register anyone from their company based on a modifiable SQL statement. One of my clients is using that feature in version 10.4 and found out the list only displays a maximum of 100 rows. Ack! Some of their organizations have far more than that in the database.

I traced things back to the file /source/Meetings/cMeetingFunctionDetailInput.cfm and it's limiting the list by setting the application variable application.eventscoMembersSelectListMaxRows. And then this variable is the MaxRows parameter on the query that gets the list of potential registrants. This variable is not set in any other files I could find so I wasn't sure if it was buried somewhere I couldn't see or what.

ASI Tech Support provided this answer for me:

In the _eEventsConfig.txt file add this line:

<CFSET Application.eventscoMembersSelectListMaxRows = "300">

You can set whatever limit you want. The 300 is just an example.

Version 10.6 will support CF MX 7

ASI also had this product support statement regarding ColdFusion MX 7:

In accordance with our Third Party Support statement, ASI is pleased to announce support for Cold Fusion MX 7.0, effective with the release of iMIS 10.6.  This release is scheduled for 1st Quarter, 2006.  We will also continue to support Cold Fusion MX 6.1.

ASI testing and support of 3rd party products is focused on the current major version and one version back. Therefore, ASI will discontinue development, testing and technical support for Cold Fusion 5.0 with the release of iMIS 10.6. You may continue to run your application on CF 5.0, but such use is at your own discretion.