I will be speaking on 6/9/11 at the IECFUG, The Inland Empire ColdFusion User Group. This talk will be on application security. You can get more info at the link below.
Till next time...
--Dave
So, in today's podcast (Show #35 - Year end wrap and Committees) I talked about how MangoBlog writes log files in html format to a web accessible directory. This was also blogged about by John Mason.
It seems that people may be unaware of this fact. The log files contain raw dumps of the error, as well as other potentially harmful information. The logs are stored in blog\components\utilities\logs directory. They are created by blog\components\utilities\logger.cfc.
I am hoping that the folks at MangoBlog will put out a patch for this so that it can be easily disabled. However in the mean time, there are a few things you can do to prevent people from reading them.
1: Stop MangoBlog from writing the logs. This can be done by just commenting out the cffile write in the cfc mentioned above. The write is in a function named "logMessage".
2: Disable read access to the log directory through your web server config. This will keep Mango the way it is and still allow the logs to be created.
3: Alter where the logs are written to. Instead of commenting out the cffile write change the write location.
If anyone else has some other methods please let me know.
Till next time...
--Dave
My toughts and experience on protecting form submission from bots
Oct 16
posted by Dave in
SQL, Security
| 3 Comments
So as I sit and write this I am fully aware of the potential backlash that this may (or may not) cause. After some serious consideration I obviously decided to write this. I first want to make a couple points perfectly clear. First, I am not an expert in the security field. My points are merely observations on some things I have recently seen. Also, I am in no way attempting to discredit or diminish the work done by others. I believe that people are well intended until, well, they aren't.
