Hi.
In <cfa_refreshsectionmodel>, on line 30 we see the following
<cfparam name="pagetypeid" default="070DCB4A-CDA2-11D2-AE210060B0EB4972">
There are similar lines for sectiontypeid, etc.
The problem with this is that if a user enters a URL variable 'pagetypeid'
the value of URL.pagetypeid will be used. So essentially any user can
crash any spectra application (in theory) by supplying bogus URL
parameters.
This is very bad. How did this get through QA?
The fix is of course to replace the cfparam with cfset statements.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/spectra_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
