I haven't tried this, but have you tried putting a mapping in place in
IIS, so it redirects /servlet to somewhere else, so that CF doesn't even
get passed the /servlet path from IIS? Perhaps to a page that
redirects, or a page that returns an error? IIS should be able to
intercept it before CF gets it, I would think.
-----Original Message-----
From: Steve K [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 25, 2004 11:32
To: CF-Server
Subject: Re: /servlet/
Thats the same reason we are trying to disable it! The only workaround
I can this of is to make a empty virtual directory in the webserver if
there is no way to disable it in CF.
Tim, give this link a try http://practicematch.com/servlet it will do
the same thing as our servers
Steve
----- Original Message -----
From: Mike Townend
To: CF-Server
Sent: Thursday, March 25, 2004 5:50 AM
Subject: RE: /servlet/
We'd like some info on this too, when we do a nessus check we get the
following vulnrabilities
Nessus scan revealed the following Vulnerabilities,
server setup
TYAN S2466
1Gb ECC Memory
Debian Linux (testing)
apache2-mpm-worker 2.0.48-7
ColdFusion 6.1
ServletExec has a servlet called 'UploadServlet' in its server
side classes. UploadServlet, when invokable, allows an
attacker to upload any file to any directory on the server. The
uploaded file may have code that can later be executed on the
server, leading to remote command execution.
Solution : Remove it
Risk factor : Serious
CVE : CVE-2000-1024
BID : 1876?
ServletExec has a servlet called 'UploadServlet' in its server
side classes. UploadServlet, when invokable, allows an
attacker to upload any file to any directory on the server. The
uploaded file may have code that can later be executed on the
server, leading to remote command execution.
Solution : Remove it
Risk factor : Serious
CVE : CVE-2000-1024
BID : 1876?
-----Original Message-----
From: Steve K [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 19:15
To: CF-Server
Subject: /servlet/
We are running CFMX on 2003web and if you hit
www.domainname.com/servlet you
get a generic cf error even though this directory is not there. Is
there a
way to disable this undocumented feature in MX so iis will return a
404.
Steve
_____
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
