oi Jochem!! JvD> 2. It breaks CF if you run it after installing CF.
not had that happen for me... JvD> But depending on the server to solve a client side vulnerability is wrong it's not a client thing... based on certain exploits and urls run.. cmd.exe can be copied to an executable directory... this will then allow a person to upload files (among other things) ..and create an ftp server on the webserver..for distributing warez... that is what a Large majority of it is used for.... ------------------------------------ Sunday, June 1, 2003, 1:28:29 PM, you wrote: JvD> cfhelp wrote: >>http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp >> >>Any reason I wouldn't want to use this? JvD> "this" is actually 2 products, LockDown and URLScan. Although they are bundled in one package, they are really 2 entirely different things. JvD> LockDown is a tool to configure your IIS install. URLScan runs as an ISAPI JvD> filter and will intercept requests at runtime. JvD> For LockDown, you wouldn't want to use it because: JvD> 1. It doesn't add any security to a system that is already configured correctly. JvD> 2. It breaks CF if you run it after installing CF. JvD> 3. It might break various other things such as compression of script files. JvD> URLScan on the other hand adds some extra features, such as the ability to JvD> filter reqeusts based on the verb. JvD> I'm unsure how usefull this really is. I am aware of some Cross Site JvD> Scripting exploits in Internet Explorer that could be filtered out this way. JvD> But depending on the server to solve a client side vulnerability is wrong JvD> for so many reasons that I don't use it (I install it but configure it to JvD> let everything pass, and only when there is a reason to filter I will start JvD> filtering). JvD> Jochem JvD> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=5 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=5 This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5
