tracker issue : CF-4203074

select a category, or use search below
(searches all categories and all time range)
Title:

[ANeff] Bug for: per-app null value can be hacked from address bar

| View in Tracker

Status/Resolution/Reason: To Fix//BugVerified

Reporter/Name(from Bugbase): Aaron Neff / ()

Created: 07/15/2018

Components: Language, Null Support

Versions: 13.0

Failure Type: Incorrectly functioning

Found In Build/Fixed In Build: 2018.0.0.310739 /

Priority/Frequency: Normal / Some users will encounter

Locale/System: / Windows 10 64 bit

Vote Count: 0

Issue: per-app null value can be hacked from address bar

Repro:

1) Install CF (standalone w/ default settings)
2) Create this app:

Application.cfc
-----------
component {THIS.name="nullHack" THIS.enableNULLSupport=true}

index.cfm
-----------
<cfdump var="#null#">

3) Access app w/ ?null=hack URL parameter

Actual Result: "hack" displayed

Expected Result: "[null]" displayed

Workaround: Enable the "Enable Null Support" setting in CF Admin

Attachments:

Comments: