While working on my new chat room project using CFAJAX, I discovered a pretty nasty security flaw in the cfajax framework.

Basically, if you have built an application that takes user input as a text string, and passes that text string to a coldfusion function on the server, then chances are good that your application allows people to execute CFML code on your server that you don't want them to.

I discovered it when I was having trouble with my chat application and the double quote mark ".  Any time I used a double quote in whatever I typed and sent to the server, it would cause a CFML error on the back said.

I realized that if I typed the following line, the CFML in the middle would be executed:

foo " & now() & " foo

And then someone else noticed that you could type in #Now()# and it would be executed on the server.

The flaw is basically in the way cfajax (in the file cfajax.cfm) constructs the functionName variable.

To resolve the problem, on or around line 92, in the listAppend() command that appends to the variables.param list, you have to escape both quotes and pound signs by doubling them up, as follows: