Sure. Open the IIS manager Right click on a site and choose Properties Click the Home Directory tab Click the Configuration button (lower right of dialog) Click the .cfm extension and choose 'Edit' The lower left checkbox: "Check that File Exists"
If you leave that on (the default) IIS will throw its own 404 if it does not find a page named foo.cfm/blah/blah (which of course it won't). Once you make this setting CF will become responsible for handling 404's to .cfm pages, which is where you can get into trouble via that bugtraq bit. ------------------------------------------- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com ------------------------------------------- ---------- Original Message ---------------------------------- From: Gyrus <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 08 Jul 2003 22:25:37 +0100 >At 14:07 08/07/2003 -0700, you wrote: >> >I can't see what this security issue has to do with SE >> > friendly URLs, please explain? >> >>To make SES urls work (i.e. foo.cfm/parm/value) you have to shut OFF the >>setting for "verify that pages exist" in IIS. > >I've been trying to figure out why that method worked on one server but not >another, but I've never found a setting in IIS similar to "verify that >pages exist". Could you point out where this option is set in the IIS >Management Console? > >Gyrus >[EMAIL PROTECTED] >play: http://norlonto.net/ >work: http://tengai.co.uk/ >PGP key available > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

