"If there's a default web accessible URL path for uploaded files" Well that's why you don't do it. I have done it but I don't anymore.
That's true with any server, any platform, any scripting language, I don't know why they are making this out to be a cf only issue. I have 3 hd's, #1 is the os and apps, #2 is partitioned with 99.9% of it beingbu stuff and the rest is just few folders that the uploads go into and run thru doing what needs to be done with them. #3 is web server. So cfm files an only be run out of the #3 hd. So if I upload the files to an isolated partition with min permissions how who they run that cf file? That drive isn't accessible from the web & I have no ftps or any incoming connections to that drive. They could of course hack into the server itself and then move the file manually to the web server drive then go get it ;) > If there's a default web accessible URL path for uploaded files, , and > that directory is configured to execute CF files, an attacker can > simply upload a .cfm file, and run it to do anything CF can do: > CFEXECUTE, access databases, connect to outbound FTP servers, etc. You > may not allow the first of those, but it's far less likely you're > blocking the others. > > Dave Watts, CTO, Fig Leaf Software > > -----Original Message----- > From: Dave l <cfl...@jamwerx.com> > Sent: Sunday, 05 July, 2009 09:46 > To: cf-talk <cf-talk@houseoffusion.com> > Subject: Re: New CF8 vulnerability > > > "There's nothing OS-specific about the vulnerability, as far as I can > see. " > I'm sure it more about a "location" that is easy to guess.. maybe the > default fk one. > Although them exe's are gunna have a bitch of a time running on a lt > 1gb sectioned partition with no rights on my xserver. > > To many people probably upload to /uploads (i'm guilty) so it > shouldn't be to difficult. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324231 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
