Error logs are exposed in MangoBlog

Dec 30, 2009

Heard about this from the cfhour podcast so it's in the wild. I'm emailing Laura on this as well, but it may take some time for an update to fix this can get released.

Basically, MangoBlog logs certain errors into *.htm files in blog\components\utilities\logs. Since they are html files they are directly accessible for the world to see. If you are using MangoBlog, you will want to modify the logMessage method inside blog\components\utilities\Logger.cfc to point either to a protected area or to turn this logic off. Hopefully, an update to MangoBlog will allow for control of this functionality from the admin.


Mike Henke

Mike Henke wrote on 12/30/09 6:44 PM

How about a plugin to fix this? I haven't created any but I would think someone could whip up a quick fix via a plugin.
John Mason

John Mason wrote on 12/30/09 6:53 PM

Since it's a part of the internal functionality of Mango, I would think it best that they fix this on their end. Many people won't install plugins and will simply run with the default. But that said, I'm sure they would be interested in people submitting a patch that they could then incorporate into the next update.
Dave Ferguson

Dave Ferguson wrote on 12/30/09 8:11 PM

Gee.. I just started using Mango. I figured that people knew about this. I didn't intend to let the cat out the proverbial bag.

Laura wrote on 12/30/09 11:46 PM

Hi all,
First of all, I don't think people should freak out. I thought it was well known that were logs written, perhaps I should make that clearer. There is a nice plugin written by Adam Tuttle that allows you to view the logs from the admin. It will also change its icon if there are any logs available.
You need to take into account that only failing plugins would make a log entry to be written, *nothing else*. So they are good for debugging while developing plugins and when you install a new plugin and you want to ensure it is working properly. A healthy running blog should not have any log, but if a plugin is failing, you will want to know, so I do recommend you to install Adam's plugin.
Having said that, I will add an entry in the configuration to set the location of the log files and a switch to suppress them if you don't have access to a directory outside the root where to place the logs. As Dave lists in his blog entry, the easiest and cleanest route is to disable read access on that directory. Besides the options listed there, there is also the option of moving all components to a location outside the root, but life is easier if they are in the default location, so I wouldn't recommend it.

Laura wrote on 12/30/09 11:55 PM

I forgot, I agree that most people runs the default, so they will be turned off by default.

Write your comment

(it will not be displayed)