Sure.

Open the IIS manager
Right click on a site and choose Properties
Click the Home Directory tab
Click the Configuration button (lower right of dialog)
Click the .cfm extension and choose 'Edit'
The lower left checkbox: "Check that File Exists"

If you leave that on (the default) IIS will throw its own 404 if it does not find a 
page named foo.cfm/blah/blah (which of course it won't).  Once you make this setting 
CF will become responsible for handling 404's to .cfm pages, which is where you can 
get into trouble via that bugtraq bit.

-------------------------------------------
 Matt Robertson,     [EMAIL PROTECTED]
 MSB Designs, Inc. http://mysecretbase.com
-------------------------------------------


---------- Original Message ----------------------------------
From: Gyrus <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Tue, 08 Jul 2003 22:25:37 +0100

>At 14:07 08/07/2003 -0700, you wrote:
>> >I can't see what this security issue has to do with SE
>> > friendly URLs, please explain?
>>
>>To make SES urls work (i.e. foo.cfm/parm/value) you have to shut OFF the 
>>setting for "verify that pages exist" in IIS.
>
>I've been trying to figure out why that method worked on one server but not 
>another, but I've never found a setting in IIS similar to "verify that 
>pages exist". Could you point out where this option is set in the IIS 
>Management Console?
>
>Gyrus
>[EMAIL PROTECTED]
>play: http://norlonto.net/
>work: http://tengai.co.uk/
>PGP key available 
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq

Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. 
http://www.fusionauthority.com/ads.cfm

                                Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
                                

Reply via email to