> I still have one question. In order to use CFFile to rewrite the > application.cfm file, wouldn't they have to get a file up on the site in the > first place?
Maybe, maybe not. The site could already have a file that does this "legitimately" that can accept malicious inputs (perhaps in /CFIDE or /cfdocs), or some other channel could be used to write a file with CF commands, such as database commands where the database has the ability to write to the filesystem (another thing that should probably be blocked as a matter of course, if the CF server and the database are even on the same machine). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
