If the default context (/) maps to \jrun\servers\default, and /cfmx maps
to \jrun\servers\default\cf, and CF is not installed in the default
context, then yes, any files requested from url/cf/ would indeed return
the files without CF processing them. In such a setup if you request the
file as url/cfmx then CF will process the request, but a request via
url/cf would not be processed by CF.
--- Ben
-----Original Message-----
From: Richard Crawford [mailto:[EMAIL PROTECTED]
Sent: Monday, February 09, 2004 12:28 PM
To: CF-Talk
Subject: Security Issue?
We've discovered that if go to our website, and remove the "cfmx"
context root from the URL, you can see the Cold Fusion code behind the
website.
I'm guessing that this is probably due to a configuration error
somewhere in our system. I'm not sure how much of a security risk this
is since we send no information in the clear and all of our database
interactions are done through stored procedures, but it's still
obviously something I'd like to take care of.
We're using
Cold Fuxion MX (pre 6.1, but with latest patches applied)
JRun 4 (latest patches applied)
Apache 2.0.44
Solaris 9
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
