> I simply prefix any file that shouldn't be run directly with
> dsp_ or act_ or similar, and add
>
> <cfif reFind("/..._", cgi.script_name)>
> <cflocation url="">
> </cfif>
>
> to application.cfm . Tell me why that's less secure.
Let's say someone finds a security hole in your web server that allows
people to get files under the web root - like the infamous ::$DATA or
.+htr (not sure about that second one) - even with your code above I
would be able to read your _dsp or _act files.
========================================================================
===
Raymond Camden, ColdFusion Jedi Master for Mindseye, Inc
(www.mindseye.com)
Member of Team Macromedia (http://www.macromedia.com/go/teammacromedia)
Email : [EMAIL PROTECTED]
Blog : www.camdenfamily.com/morpheus/blog
Yahoo IM : morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Signup for the Fusion Authority news alert and keep up with the latest news in
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
