Checking the mime-type and the extension is not secure. I can write a CFML name it as a PNG and try to display the image, but instead the code will be executed. You should know that.
Regards, Andrew Scott http://www.andyscott.id.au/ > -----Original Message----- > From: Steve Bryant [mailto:[email protected]] > Sent: Wednesday, 5 January 2011 9:12 AM > To: cf-talk > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > Andrew, > > Correct me if I am mistaken, but I thought that was if the system was > checking *only* mime-type. The framework checks both mime-type AND file > extension. I did check on that at the time of that exploit and ensured that our > framework was protected from that exploit. If I have missed something on > that, do let me know. > > The folder is set to allow reading and writing, but not execution. It has > Application.cfm protection. I can ensure that the uploads are protected from > unwanted files by BOTH mime-type and extension. > > The location can be configured to a location outside of the web root. I think, > however, that it can be made safe enough to obviate the need for a severe > warning on that front. > > If there is a specific threat that I have not addressed, however, I would > certainly like to know. > > I have Googled this topic in the past, so a specific unaddressed vulnerability > would be helpful if there is something that I have missed. > > Thanks, > > Steve ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340430 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
