> Today, when I visited a famous site which has been
> running CF for a long time,
> click on any link to xxxxx.cfm, this happened:
>
> 'Action canceled. Internet Explorer was unable to link
> to the Web page....'
>
> File Download windows pop up,say :
> 'You have choosen to downlaod file from this site
> [] open this file from current location
> [] save this file to disk '
>
> The cf page is then saved to my computer, I saw the
> entire page code, saw their path, their queries and
> database/table names,
> The query may like this:
> <cfquery name="nm" datasource="dsn" username="unm"
> password ="psw">
> select xxx,xxx from xxxx,xxxx where xxx and xxx
> </cfquery>
>
> If it is an access database, I point to that path and
> database name, then the entire database could be saved
> to my computer.
>
> How/when could this happen? Is that correct when the
> CF server is down, all the cf files can be downloaded?
If the server is properly configured, this won't happen. Of course, if the
server is properly configured, the CF service would probably be running.
This particular problem could be resolved simply by placing the correct ACLs
on files. CF scripts on most servers need to be executed, but not read, by
the CF service, and don't need to be read by the web server itself. If the
web server was IIS, simply removing the read ACL for the anonymous user
should prevent this, so that even if the CF server was uninstalled and the
ISAPI mapping for CF scripts was removed, the files wouldn't be accessible.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
