you don't want your web site visitors accessing htr files anyway - let URLScan do its job. Same with printer commands - these are favorite channels for hackers/worms/ if you use shtm or shtml,. then this needs to be commented out in the URLScan ini file. and then web serves restarted.
----- Original Message ----- From: "Stephen Moretti" <[EMAIL PROTECTED]> To: "CF-Server" <[EMAIL PROTECTED]> Sent: Thursday, May 23, 2002 10:22 AM Subject: Re: passing variables in the url with / Sounds like you might have installed the URLScan.... Nothing wrong with that, but one of the things it does is redirects any URLs with multiple full stops or full stops in the middle of a URL to a 404 page. You need to have a tinker with the .ini file for it. Hope you didn't do this to your production server without testing it out on a dev server first... Regards Stephen ----- Original Message ----- From: "Alf Gardner" <[EMAIL PROTECTED]> To: "CF-Server" <[EMAIL PROTECTED]> Sent: Thursday, May 23, 2002 12:15 AM Subject: passing variables in the url with / > Greetings, > > Accord to nessus (and several websites) there are buffer-overflows in the > following application mappings from IIS5.0 that could cause an attacker > to denial of service or gain remote root shell access to a windows box: > > htr c:\winnt\system32\inetsrv\ism.dll GET,POST > printer c:\winnt\system32\msw3prt.dll GET,POST > shtm c:\winnt\system32\inetsrv\ssinc.dll GET,POST > shtml c:\winnt\system32\inetsrv\ssinc.dll GET,POST > > shtm/.shtml are file extensions that deal with server-side includes, .htr > appears to deal somewhat with indexing and .printer has some application > for printing.. though why you'd want people to print from a webpage I have > no idea. > > Our client is currently using coldfusion with the fusebox application on > top, but instead of passing variables in the standard way: > > http://www.client.com/index.cfm?fuseaction=foo > > they are passing variables to their script using urls that look like: > > http://www.client.com/index.cfm/foo > > and parsing the address field with a case statement key'd off what follows > the "/". This had been working pretty well for them, up until I went to > fix the insecure application mappings. when I removed the above mappings, > the url > > http://www.client.com/index.cfm/foo > > no longer saw index.cfm as a script, and instead started throwing a 404 > error since obviously there is no index.cfm/foo directory. When we > discovered this we attempted to put the application mappings back in > place, but doing so had no effect, and we have yet to find a way to repair > this functionality. From what I've been able to determine from the web, > being able to pass variables in the manner that this client was doing is > something they're really not supposed to be able to do, though its not > specifically prevented in the http spec, and there fore it varies by > vendor as to how its implemented, and it appears that Microsoft has decided > to quit implementing it. > > Has anyone had this issue? Any solutions? > > Thanks. > > Alf > > > > Alf Gardner Bringing the Long Haul and > COMFLUENT the Metro Core Together > 910 15th St., Suite 751 303.376.1600 > Denver, Colorado 80202 USA 303.376.1601 fax > [EMAIL PROTECTED] http://www.comfluent.net > > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
