So, in today's podcast (Show #35 - Year end wrap and Committees) I talked about how MangoBlog writes log files in html format to a web accessible directory. This was also blogged about by John Mason.

It seems that people may be unaware of this fact. The log files contain raw dumps of the error, as well as other potentially harmful information. The logs are stored in blog\components\utilities\logs directory. They are created by blog\components\utilities\logger.cfc.

I am hoping that the folks at MangoBlog will put out a patch for this so that it can be easily disabled. However in the mean time, there are a few things you can do to prevent people from reading them.

1: Stop MangoBlog from writing the logs. This can be done by just commenting out the cffile write in the cfc mentioned above. The write is in a function named "logMessage".
2: Disable read access to the log directory through your web server config. This will keep Mango the way it is and still allow the logs to be created.
3: Alter where the logs are written to. Instead of commenting out the cffile write change the write location.

If anyone else has some other methods please let me know.

Till next time...