> This fix is needed if Global Script Protection is not > enabled. I wonder if it's a vulnerability if Global Script > Protection is ON and a specific application disables the > script protection using the scriptProtect parameter of the > cfapplication tag. > > Anybody know? > > Patch for XSS when Global Script Protection is not enabled > http://www.adobe.com/support/security/bulletins/apsb07-03.html
If you set SCRIPTPROTECT to false in your application, that should override the setting in the CF Administrator, according to my understanding. Note that this fix only affects the CF Administrator, so should only apply to the extent that you're allowing people to access that. Finally, the XSS protection in CF is minimal at best. You should not rely on it. It simply looks for a few common keywords used in XSS attacks, and filters those out. It can be easily circumvented by slightly more sophisticated XSS attacks. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| CF 8 â Scorpio beta now available, easily build great internet experiences â Try it now on Labs http://www.adobe.com/cfusion/entitlement/index.cfm?e=labs_adobecf8_beta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280379 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
