Steve, This is one off, but this post explains how you can exploit the latency between storing the file and handling or deleting it IF you store your temp file in a web root accessible folder:
http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.ve ctor -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Steve Bryant [mailto:st...@bryantwebconsulting.com] Sent: Tuesday, January 04, 2011 4:15 PM To: cf-talk Subject: Re: Beta Tester Wanted for new CF (MVC) Framework David, That is certainly another point altogether. As I said, the framework does allow you to configure location and URL path for uploaded files which *should* allow a URL path like "/file.cfm?file=". I have added testing that as a relatively high-priority task for my next round of work on the framework. Thanks, Steve >To further Andrews Point, >We typically create a script to deliver the requested file so we can run a >bit of CF to properly name the file and ensure the user has a valid >permission to even request it. So with our basic framework we usually have >a download.cfm script which will serve it up if all looks good. Of course >this isn't going to work for public sites where you want to take advantage >of SEO spidering and all that. However, as far as a base framework >concept, I think they are on the right track, and someone needs to submit an >improvement to the core and address this issue... Ahh the power of Open >Source Development... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340445 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
