I have few questions about Flex Messaging :
- To use Flex Messaging with Lucee, do we need to install an extension like this one?
- In 2021, is Flex Messaging an outdated technology?
- Is Flex Messaging still have potential security vulnerabilities (as mentioned in the readme of the extension and on some articles on the web)?
- In other words, should we stay away from that?
as Flash is now dead, Flex messaging is kinda dead, I’d avoid it myself
chances of it having a security vulnerability, it’s xml so more likely than a json based api
Is the anything particular you want to use from it?
I migrate an Adobe Coldfusion main application to Lucee and there is a related and old application written in mxml. It use Flex Messaging and there is just few users of this application.
I am at a crossroads. I wonder if I abandon this application altogether or if I integrate an old risky technology on the new Lucee installation. If Flex Messaging poses no risk on Lucee, I can continue to support the application. But if there’s the slightest risk, I’d rather not.
If you disable XML entities in application.cfc, that should make it pretty safe
I’ve tried to get the Flash gateway working on Lucee and failed. I’m not sure I’ve seen anyone get it working. The extension in on Github so you’re welcome to poke at it and try to get it working.
Thank you @Zackster for your advice, always appreciated.
@bdw429s, I would be surprised if I succeed if you did not. You have undoubtedly more experiences than me with Lucee.
I was going to give it a try, but following my research and this discussion, I spoke about it internally and we will keep the application temporary alive by creating a dedicated service on an isolated server. We will not install Flex Messaging on the primary Lucee server. This will give us time to prepare our users for its eventual abandonment, or even leave us enough time to modernize the application with more recent technologies.
heh, well don’t let that dissuade you. I quit trying when my client just decided to abandon their old Flex stuff instead