> I'm allowing people to FTP-upload into one of my web server directories, but > I don't want them to be able to upload and run cfm (or asp, etc) scripts. > > I right-clicked on the directory in IIS and changed "execute permissions" to > "none," but it seems the cfm files in that directory are still running.
You would have to set read but not execute in Windows Explorer or CACLS/XCACLS/whatever the new version of CACLS is. But the real answer is, as Ian indicated, don't let people upload files into a web directory. Even if you could disable them from running through CF, a user could upload a plain old HTML file with malicious JavaScript in it, and another user could conceivably run that. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325579 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4