Not neccisarily, some fixes you have to apply to each instance. Anyway is it possible that the cross site scripting protection was not triggered until now? Has the <script> tag previously been submitted in form posts that you know of ?
Snake -----Original Message----- From: Johnny Le [mailto:[EMAIL PROTECTED] Sent: 28 September 2006 16:02 To: CF-Talk Subject: Re: CFMX and cross-site scripting attack? We have not. We talked about it but we haven't. Even if we did, both instances on the same server should be affected, not just one. Johnny >Did you recently apply a hotfix, as there is one that fixes an issue >with the cross site scripting, perhaps this wa sthe issue. > >Russ > >-----Original Message----- >From: Johnny Le [mailto:[EMAIL PROTECTED] >Sent: 28 September 2006 14:53 >To: CF-Talk >Subject: CFMX and cross-site scripting attack? > >Hi, > >We have 3 development servers and 3 production servers on 3 different >networks. We deployed an application across all 6 servers. All of >them have the "enable global script protection" setting in CFAdmin checked. >Everything was working great. Suddenly today, the app on one of the >production server changed <script to <INVALIDTAG. It took us a while >to figure out that this is CFMX 7 feature to prevent cross-site >scripting attack. To disable, we can either uncheck the global setting >in CFAdmin or add a scriptprotect attribute to the cfapplication tag. > >Now the question is why do all 6 servers have this global setting >checked, but only one server did this, and it didn't do it to start >with. More than that, we have two instances on this server, and only one instance did this. >So it looks like the global setting alone doesn't do it. There is >something else that triggers the change. Could it be this and a >combination of some settings in the IIS? I would greatly appreciate it >if someone could shed some lights on it for me. >Thank you. > >Johnny ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254629 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
