CFAJAX Security Flaw

Posted At : July 13, 2006 9:35 PM | Posted By : James Holmes
Related Categories: AJAX,ColdFusion

Rick Root discovered a flaw in the way CFAJAX handles string inputs. The flaw allows a remote user to execute arbitrary CF functions on the host server.

See his blog for full details and for a fix:

http://www.opensourcecf.com/1/2006/02/Security-Flaw-in-CFAJAX.cfm

Send |

Linking Blogs | 4107 Views

Related Blog Entries

Installing CFAJAX - Paths explained (July 13, 2006)
CFAJAX Suggest (July 13, 2006)
A CF error handler for CFAJAX calls (July 13, 2006)
Getting the CFAJAX Suggest examples to work locally (July 13, 2006)

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)

There are no comments for this entry.

[Add Comment]

Search

Calendar

Subscribe

Enter your email address to subscribe to this blog.

Archives By Subject

AIR (1) [RSS]
AJAX (15) [RSS]
Apache (1) [RSS]
C3 (1) [RSS]
ColdFusion (24) [RSS]
Flex (1) [RSS]
General (2) [RSS]
Oracle (1) [RSS]
WSS4CF (1) [RSS]

Tags

ajax coldfusion

Recent Entries

WSS4CF: Secure Webservices with ColdFusion
Fix for Flex Builder 3 crash
Notes on the Fusion Authority Quarterly Update FLEX/AIR articles
Coldfusion server restarts after a few days? Here's a possible solution.
New cumulative Coldfusion hotfix includes a backported fix from CF8

Recent Comments

Getting the CFAJAX Suggest examples to work locally
guillermo Pinillos said: Unfortunately this don't work for me. I did everything the recommends until I changed my browser IE... [More]

Generating Barcodes with Barbecue and Coldfusion
mercedes said: Hi, I need to print a barcode and, below this, one line with text. I don´t know how to print the l... [More]

Fix for Flex Builder 3 crash
James Holmes said: These should already be in the ini file, but if they aren't, add them. If you still get a crash, use... [More]

Fix for Flex Builder 3 crash
jon said: What do you mean higher setting? Do i need to add these settings or remove them? [More]

MXAJAX - mxData tag basics
Jay said: Can someone "PLEASE" tell me how can I dynamically pass in params into mx.data. I ... [More]

RSS

BlogCFC was created by Raymond Camden. This blog is running version 5.5.1.