- Original Message -
From: E. Keith Dodd [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Wednesday, January 29, 2003 1:52 PM
Subject: Re: Screening files before CFFile upload
Thanks, interesting article.
That would allow examination of size.
I did a cfdump of cgi, but don't see
Hi,
Follow-up yesterday's thread of trying to screen files before
uploading with
cffile:
I didn't comment on this tread yesterday..so...
Just did some comparing of the MX behavior with CF5, to see if could glean
any valuable info from initial form before uploading using cffile
using CF5:
Thanks for the extra insight. There is s much to know!
Keith
- Original Message -
From: webguy [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Thursday, January 30, 2003 9:24 AM
Subject: RE: Screening files before CFFile upload: Follow-up
Hi,
Follow-up yesterday's thread
Since file upload is part of the http protocol why is CFFILE considered
such a security risk?
best, paul
At 02:24 PM 1/30/03 +, you wrote:
Hi,
Follow-up yesterday's thread of trying to screen files before
uploading with
cffile:
I didn't comment on this tread yesterday..so...
becuase you can do this
cffile action=read file=ntuser.dat
WG
-Original Message-
From: paul smith [mailto:[EMAIL PROTECTED]]
Sent: 30 January 2003 15:13
To: CF-Talk
Subject: RE: Screening files before CFFile upload: Follow-up
Since file upload is part of the http protocol why
O! That's handy ;-)
At 03:35 PM 1/30/03 +, you wrote:
becuase you can do this
cffile action=read file=ntuser.dat
WG
-Original Message-
From: paul smith [mailto:[EMAIL PROTECTED]]
Sent: 30 January 2003 15:13
To: CF-Talk
Subject: RE: Screening files before CFFile
becuase you can do this
cffile action=read file=ntuser.dat
While that's true, it's worth noting that on a properly configured CF
server, the CF user account generally shouldn't have rights to read that
file or other non-CF files.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
webguy wrote:
| becuase you can do this
|
| cffile action=read file=ntuser.dat
only when cold fusion is not running under a restricted user acount
z
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla -
Yes true , on properly configured CF server, which as you know Dave, are not
very common :-)
WG
becuase you can do this
cffile action=read file=ntuser.dat
While that's true, it's worth noting that on a properly configured CF
server, the CF user account generally shouldn't have rights
Yes true, on properly configured CF server, which as
you know Dave, are not very common :-)
Yes, which is why I feel compelled to harp on it so much, I guess. This is
especially true with CFMX - it's a lot easier to secure on Windows than CF 5
was. You create a user, give the user the log on
But Dave if you tell everyone that, who will hire us? :-)
Dave said:
Yes true, on properly configured CF server, which as
you know Dave, are not very common :-)
Yes, which is why I feel compelled to harp on it so much, I guess. This is
WG
But Dave if you tell everyone that, who will hire us? :-)
I'd be happy to do something else, actually, if everyone set up their
servers correctly.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
OK. So on CF5, what needs to be done to properly secure a CF server -
against the evils of CFFILE, or anything else?
best, paul
At 11:55 AM 1/30/03 -0500, you wrote:
Yes true, on properly configured CF server, which as
you know Dave, are not very common :-)
Yes, which is why I feel
http://markme.com/cantrell/weblog/index.cfm?m=1d=28y=2003
Bryan F. Hogan
Director of Internet Development
Macromedia Certified ColdFusion MX Developer
Digital Bay Media, Inc.
1-877-72DIGITAL
-Original
files before CFFile upload
http://markme.com/cantrell/weblog/index.cfm?m=1d=28y=2003
Bryan F. Hogan
Director of Internet Development
Macromedia Certified ColdFusion MX Developer
Digital Bay Media, Inc.
1-877-72DIGITAL
, 2003 1:38 PM
Subject: RE: Screening files before CFFile upload
http://markme.com/cantrell/weblog/index.cfm?m=1d=28y=2003
Bryan F. Hogan
Director of Internet Development
Macromedia Certified ColdFusion MX Developer
Digital Bay Media, Inc.
1-877
: Benoit Hediard [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Wednesday, January 29, 2003 1:50 PM
Subject: RE: Screening files before CFFile upload
Hi,
You can also add some Javascript client side validation :
http://www.massimocorner.com/beta/js_upload.htm
Benoit Hediard
www.benorama.com
GetHTTPRequestData() I believe will give you more information.
-Original Message-
From: E. Keith Dodd [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 29, 2003 18:52
To: CF-Talk
Subject: Re: Screening files before CFFile upload
Thanks, interesting article.
That would allow
PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Wednesday, January 29, 2003 1:56 PM
Subject: RE: Screening files before CFFile upload
GetHTTPRequestData() I believe will give you more information.
-
[This E-mail scanned for viruses by declude AntiVirus Software
I don't think Massimo's actually stops the upload just says that the file is
too big
- Original Message -
From: Mike Townend [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Wednesday, January 29, 2003 1:56 PM
Subject: RE: Screening files before CFFile upload
GetHTTPRequestData
20 matches
Mail list logo