Steve, I'm personally not sure if yet another framework is needed, we have quite a few now from simple (cfwheels or FW/1) for all singing all dancing OOP behemoths (ColdBox) but kudos for trying and I hope it works out for you. While I think all these security concerns are valid, and it would be gr8 if your framework handled these automatically, I think perhaps other are being a bit harsh and jumping on your back a bit quick. I wonder if the other frameworks and popular open source apps have been scrutinised like this and cover all these security bases and are this secure, I wouldn't like to bet any money on it, and I certainly know that some of the ones I have used really do little more than use CFPARAM or CFQUERYPARAM to protect against injection, and there is certainly no consideration for the temp file execution scenario. I have not read the entire conversation so I do not know the context of the file uploads inside webroot, but if this is only for installation/setup then I would not consider this a security concern as only the admin will be doing this and then presumably this feature will be disabled anyway. The most popular apps in the world with web based installers do not even cater for this scenario, such as wordpress for example, they simply make sure that the installer/setup no longer works once you have completed the process so that a hacker cannot get in and mess with your site. If that is not the context for this issue and it is uploads in general, then I guess that is a moot point.
-- Russ Michaels www.cfmldeveloper.com - Supporting the CF community since 1999 FREE ColdFusion/Railo hosting for developers. blog: www.michaels.me.uk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340462 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
