Is index.cfm still set to be the default index page? Steve
----- Original Message ----- From: "Alf Gardner" <[EMAIL PROTECTED]> To: "CF-Server" <[EMAIL PROTECTED]> Sent: Wednesday, May 22, 2002 7:15 PM Subject: passing variables in the url with / > Greetings, > > Accord to nessus (and several websites) there are buffer-overflows in the > following application mappings from IIS5.0 that could cause an attacker > to denial of service or gain remote root shell access to a windows box: > > htr c:\winnt\system32\inetsrv\ism.dll GET,POST > printer c:\winnt\system32\msw3prt.dll GET,POST > shtm c:\winnt\system32\inetsrv\ssinc.dll GET,POST > shtml c:\winnt\system32\inetsrv\ssinc.dll GET,POST > > shtm/.shtml are file extensions that deal with server-side includes, .htr > appears to deal somewhat with indexing and .printer has some application > for printing.. though why you'd want people to print from a webpage I have > no idea. > > Our client is currently using coldfusion with the fusebox application on > top, but instead of passing variables in the standard way: > > http://www.client.com/index.cfm?fuseaction=foo > > they are passing variables to their script using urls that look like: > > http://www.client.com/index.cfm/foo > > and parsing the address field with a case statement key'd off what follows > the "/". This had been working pretty well for them, up until I went to > fix the insecure application mappings. when I removed the above mappings, > the url > > http://www.client.com/index.cfm/foo > > no longer saw index.cfm as a script, and instead started throwing a 404 > error since obviously there is no index.cfm/foo directory. When we > discovered this we attempted to put the application mappings back in > place, but doing so had no effect, and we have yet to find a way to repair > this functionality. From what I've been able to determine from the web, > being able to pass variables in the manner that this client was doing is > something they're really not supposed to be able to do, though its not > specifically prevented in the http spec, and there fore it varies by > vendor as to how its implemented, and it appears that Microsoft has decided > to quit implementing it. > > Has anyone had this issue? Any solutions? > > Thanks. > > Alf > > > > Alf Gardner Bringing the Long Haul and > COMFLUENT the Metro Core Together > 910 15th St., Suite 751 303.376.1600 > Denver, Colorado 80202 USA 303.376.1601 fax > [EMAIL PROTECTED] http://www.comfluent.net > > ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
