As I said, this information is given to you without having to do any work.
It is rather trivial to profile the outside interfaces of a server but, when
a company makes itself stick out by having things like this happen on a
regular and long term basis it can make that company more susceptible to
intrusion. If nothing else it makes them look bad. It's a legitimate concern
when a company doesn't use their own product to set a positive and
impressive example. But then, Allaire has historically put security on the
back burner in their products. I remember when Allaire first introduced the
web based administrator in CF, 2.0 or 3.0, without requiring any
authentication or authorization at all. You could go to any CF-based site
and shut it down, 'click'. Their response was along the lines of, "but, but
... that's just not fair." As a matter of fact, I met and talked to Jeremy
Allaire during this period and questioned him on this matter and he told me
flat out that during the development cycle security was definitely put on a
back burner to features and time schedule. This business philosophy
continues as evidenced by the security holes in 4.x. Microsoft endures
unending criticism for its philosophy of features before security, and Sun
has been blasted for various holes in the JRE and Sandbox architectures.
Where's the outcry to Allaire? People want to use CF to create Internet
environments that form the foundation of e-commerce but, don't seem overly
concerned about the security of the product until AFTER someone exploits it.
I say "hats off" to RFP, Matt Chapman, and the others who have exposed
weaknesses in Allaire's products. At least they take the time to look.
Steve
-----Original Message-----
From: Philip Arnold - ASP [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12, 2000 12:28 PM
To: [EMAIL PROTECTED]
Subject: RE: You know what would be really cool?
> It may seem innocent enough but from this error message you know:
>
> 1) Using IIS
> 2) .. therefore, using NT
This can be found out through other means though - they're actually running
IIS4... therefore NT4
>From this info you could run attack attempts to check vunerabilities, but
that'd be illegal
BTW, if you want to check what someone is running, I find this site very
useful
http://www.netcraft.com/whats
Philip Arnold
ASP Multimedia Limited
T: +44 (0)20 8680 1133
"Websites for the real world"
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
**********************************************************************
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
