> >
> > I just tested this on my machine (Win2K, IIS 5, CF 5, all relevant OS
and
> CF
> > hotfixes) and was able to replicate the results of the SecurityFocus
> report,
> > with all debugging options off.
> >
>
> Now that's really worry, because I'm on exactly the same as you, but have
> not been able to replicate it.
>

Ahem.....  Ignore me doing this ~waves hand in the air~

I was being a Friday afternoon idiot.....  Must remember to read and absorb
all the details in an email.  nul.cfm does output the file path.

I did try it out on some other DOS devices, some I get the dreaded error and
some I get a log in prompt, because I've got most of my box locked down in
one way or another.

Yeah - MM's solution isn't great, but something else I do is shift
everything from the default locations and lock everything down, so that only
the appropriate user can access the various paths for my website storage.
The information gleaned from these error messages is only useful if you can
do something with it.

I really don't think that this is something to get too worried about if you
already treat the security of your server seriously.

Incidentally,  I tried this in an application.cfm for a laugh....
<cfif cgi.script_name contains "nul.">
<cflocation url="http://www.disney.com/";>
</cfif>
and it worked....  Obviously you'd need to look at this a bit more closely,
but the general principle works....

The nul..cfm seems to be caused somewhere else and possibly could be
prevented with something like the URLScan plug in for IIS, but then that
could kill off fusebox fuseaction dot notation or similar.  Not that that
would worry some of you... ;oD

Regards

Stephen


______________________________________________________________________
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with 
'unsubscribe' in the body or visit the list page at www.houseoffusion.com

Reply via email to