How would CF server know to process a .cfm file unless you pre-configured your IIS or Apache to tell CF to process and execute PNGs? I'm honestly asking.
I agree that your files should not be in the webroot, but it sounds like you can easily use a dynamic loader script, and configure the framework to save and load files in anything location you would like. I don't think anyone is NOT agreeing with you about the security. On Tue, Jan 4, 2011 at 5:25 PM, Andrew Scott <andr...@andyscott.id.au>wrote: > > Checking the mime-type and the extension is not secure. > > I can write a CFML name it as a PNG and try to display the image, but > instead the code will be executed. You should know that. > > > Regards, > Andrew Scott > http://www.andyscott.id.au/ > > > > > -----Original Message----- > > From: Steve Bryant [mailto:st...@bryantwebconsulting.com] > > Sent: Wednesday, 5 January 2011 9:12 AM > > To: cf-talk > > Subject: Re: Beta Tester Wanted for new CF (MVC) Framework > > > > > > Andrew, > > > > Correct me if I am mistaken, but I thought that was if the system was > > checking *only* mime-type. The framework checks both mime-type AND file > > extension. I did check on that at the time of that exploit and ensured > that our > > framework was protected from that exploit. If I have missed something on > > that, do let me know. > > > > The folder is set to allow reading and writing, but not execution. It has > > Application.cfm protection. I can ensure that the uploads are protected > from > > unwanted files by BOTH mime-type and extension. > > > > The location can be configured to a location outside of the web root. I > think, > > however, that it can be made safe enough to obviate the need for a severe > > warning on that front. > > > > If there is a specific threat that I have not addressed, however, I would > > certainly like to know. > > > > I have Googled this topic in the past, so a specific unaddressed > vulnerability > > would be helpful if there is something that I have missed. > > > > Thanks, > > > > Steve > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340431 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm