CFWheels Reload Password Issue

[Brian Lang]

A colleague just brought up a concern regarding the CFWheels reload password. We have CFWheels configured to send error emails to our IT group so that we can identify and fix issues with the site. If a reload is performed and there's some problem with the page being reloaded, then the URL is sent via the email - including the reload password. This email is sent to different email addresses depending on which mode the site is in (ie. design or production). My colleague saw the reload password via one of these emails.

Example: http://my-cfwheels-site.com/?reload=production&password=my-super-sekrit-password

This is a potential security issue for all CFWheels sites. What can/should be done about it?

[George]

It is fixed is the next version. For current version of wheels I use (as I think most people do) an cfhttp call back to my server to do a reload so that I don't have to expose the password. 

[George]

I just realized that if the reload page is what is causing the error, then the password will still be exposed. So that solution does not solve your problem. I would suggest going in and modifying the error email template possibly? Not sure about this one.

[Andy Bellenie]

Error emails are supposed to contain diagnostic information including form posts, which is always a security issue. If someone isn't trusted enough to see the reload password, I wouldn't personally let them see any of an error email. The only solution I can suggest at this time is to remove anyone from the error email list that shouldn't know the password.

--
You received this message because you are subscribed to the Google Groups "ColdFusion on Wheels" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cfwheels+u...@googlegroups.com.
To post to this group, send email to cfwh...@googlegroups.com.
Visit this group at http://groups.google.com/group/cfwheels.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Chris Peters]

Also be sure to remove logging of the reload and password URL params from software like Google Analytics. For example, Google Analytics has a setting to omit specific URL variables.

[George]

Along those same lines, when ever I do a reload I usually have a page on my site that is completely blank with no layout or content so that there can be no javascript or other malicious stuff that could snoop it out. A blank page also means that there is typically no errors on my reload page as well. 

I also have my reload password change on reload. My reload password is random and is changed on reload and saved in a text file on the server.

[Adam Chapman]

You could modify your error template to 'wash' the URL before outputting it into the email..

So loop through the cgi.query_string variable as an ampersand delimited list, check the name/value (use = as the delimiter), if the name is 'password', reset the value to 'not_the_real_password'.. add each name/value back to your return string.. and sendamundo!

Hope this helps..

Adam