Steven Erat
Fri, 26 Sep 2003 07:58:37 -0700
FYI.... I believe that there is a security hole in the CFXML_Blog 1.2, and possibly in 1.5b2. I'm not running 1.5, so I don't know if that one exhibits the same behavior, although the login logic is the same in both.
The documentation states to change the username and password in the Application.cfm,
but login.cfm has a cflogin tag hardcoded with user=admin password=admin. If
username/password is changed only in Application.cfm, then one can login with both the
custom login values as well as the default login values of admin/admin.
I believe that the cflogin line should be changed from:
<cfloginuser name="admin" Password = "admin" roles="admin">
to:
<cfloginuser name="#request.useradmin#" Password = "#request.passwordadmin#"
roles="admin">
This allows only the custom username/password to be validated, not the default values.
I was notified of this by a user that logged into my blog as the admin user.
Additional security measures I've added to my blog include obfuscating the frontdoor
by changing admin querystring from ?admin to ?somethingelse, and instead of coding my
username and password in clear text in the Application.cfm, I hardcoded the hash
values. Then in login.cfm I use the following:
<cfif hash(form.j_username) is request.useradmin and hash(form.j_password) is
request.passwordadmin>
-Steven Erat