Did you recently apply a hotfix, as there is one that fixes an issue with the cross site scripting, perhaps this wa sthe issue.
Russ -----Original Message----- From: Johnny Le [mailto:[EMAIL PROTECTED] Sent: 28 September 2006 14:53 To: CF-Talk Subject: CFMX and cross-site scripting attack? Hi, We have 3 development servers and 3 production servers on 3 different networks. We deployed an application across all 6 servers. All of them have the "enable global script protection" setting in CFAdmin checked. Everything was working great. Suddenly today, the app on one of the production server changed <script to <INVALIDTAG. It took us a while to figure out that this is CFMX 7 feature to prevent cross-site scripting attack. To disable, we can either uncheck the global setting in CFAdmin or add a scriptprotect attribute to the cfapplication tag. Now the question is why do all 6 servers have this global setting checked, but only one server did this, and it didn't do it to start with. More than that, we have two instances on this server, and only one instance did this. So it looks like the global setting alone doesn't do it. There is something else that triggers the change. Could it be this and a combination of some settings in the IIS? I would greatly appreciate it if someone could shed some lights on it for me. Thank you. Johnny ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254622 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
