K Simanonok wrote: > Anyone use ScanAlert.com's HackerSafe product? They scan your website to > look for security vulnerabilities and let you know when they find any. Well > there's something called a Server Side Include Injection vulnerability which > apparently can sometimes allow a hacker to access data and services they > shouldn't, but even if they fail at that it is still considered a > vulnerability to expose to a hacker the files and paths and error messages > that may be generated. > > So today I got an alert from ScanAlert telling me that a site I manage has a > vulnerability when this code is passed after the domain/ : > > '+serverRootUrl+'/s7ondemand/misc/email2friend.jsp
Remove the .jsp mapping from your webserver and from web.xml / default-web.xml / jrun-web.xml / whatever-web.xml. Restart CF and your webserver and you should get the standard 404 error from your webserver. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305140 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
