then lets hope they dont have the "show ip address" extension for firefox.........
~Dave the disruptor~ "Some people just don't appreciate how difficult it is to dispense wisdom and abuse at the same time." ---------------------------------------- From: "Mark A Kruger" <[EMAIL PROTECTED]> Sent: Friday, October 07, 2005 9:25 AM To: CF-Talk <[email protected]> Subject: RE: ColdFusion Security Holes - Best Practices Phil, >From a security standpoint there is the address of the server via DNS (easily obtained) and then there is the address of the server as it exists on the internal network or DMZ of the host. Depending on the network setup this may be quite different and in certain instances can be valuable to a malicious programmer. -Mark -----Original Message----- From: Phill B [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:15 AM To: CF-Talk Subject: Re: ColdFusion Security Holes - Best Practices For what its worth, I have never had a problem finding the IP address for a server using nslookup on my PC. Not to mention what you can find out using these sites. http://www.dnsreport.com/ http://www.dnsstuff.com/ You can change how errors are shown by making changes in the debugging section of the CF Admin. Phil On 10/7/05, [EMAIL PROTECTED] wrote: > I heard a challenge from a security consultant that "if you are using ColdFusion you do not have a secure server." He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: > > sitename.org/*.cfm > > I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. > > What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? > > This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220340 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
