> > > > I just tested this on my machine (Win2K, IIS 5, CF 5, all relevant OS and > CF > > hotfixes) and was able to replicate the results of the SecurityFocus > report, > > with all debugging options off. > > > > Now that's really worry, because I'm on exactly the same as you, but have > not been able to replicate it. >
Ahem..... Ignore me doing this ~waves hand in the air~ I was being a Friday afternoon idiot..... Must remember to read and absorb all the details in an email. nul.cfm does output the file path. I did try it out on some other DOS devices, some I get the dreaded error and some I get a log in prompt, because I've got most of my box locked down in one way or another. Yeah - MM's solution isn't great, but something else I do is shift everything from the default locations and lock everything down, so that only the appropriate user can access the various paths for my website storage. The information gleaned from these error messages is only useful if you can do something with it. I really don't think that this is something to get too worried about if you already treat the security of your server seriously. Incidentally, I tried this in an application.cfm for a laugh.... <cfif cgi.script_name contains "nul."> <cflocation url="http://www.disney.com/";> </cfif> and it worked.... Obviously you'd need to look at this a bit more closely, but the general principle works.... The nul..cfm seems to be caused somewhere else and possibly could be prevented with something like the URLScan plug in for IIS, but then that could kill off fusebox fuseaction dot notation or similar. Not that that would worry some of you... ;oD Regards Stephen ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
