RE: Allaire security problem - anyone know solution?

Thu, 03 Aug 2000 19:03:06 -0700 

>> app_globals.cfm???

it isn't because it is a certain template - just that it is a template... it
does the EXACT same thing with app_globals.cfm....

-----Original Message-----
From: Dan Haley [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:10 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?


Wow, that's ugly.  You don't even need to do the refresh, just view the
source of the page and it is right there.  It only seems to work if you know
the directory where application.cfm exists.  If you are operating with a
single application.cfm you can move it up one directory, outside of the web
root, and it doesn't work.  It also doesn't appear to work with other .cfm
files.

<cf_fuseboxplug>
        Don't use application.cfm - use app_globals.cfm.  :)
</cf_fuseboxplug>

Dan

-----Original Message-----
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 9:27 AM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions

<Allaire Premier Partner>
Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]

----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Reply via email to