Not to mention that other technology exploits can allow a hacker into the site, especially on Shared hosting. I know of one site that was almost hacked, but they gave up because they could not run the uploaded code. Now even though this was an inconvenience to the web site, it was still good enough to know that the code was stopped in its tracks.
The site runs an MVC framework with SES URLS, and means that the web site didn't use the Application.cfm, but they found a way to create a folder in the webroot and upload the code for cffile and Applicatin.cfm, but as stated they were stopped in their tracks cause they had no way to run this code. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Tue, Feb 5, 2013 at 4:13 AM, Dave Watts <[email protected]> wrote: > > > I still have one question. In order to use CFFile to rewrite the > application.cfm file, wouldn't they have to get a file up on the site in > the first place? > > Maybe, maybe not. The site could already have a file that does this > "legitimately" that can accept malicious inputs (perhaps in /CFIDE or > /cfdocs), or some other channel could be used to write a file with CF > commands, such as database commands where the database has the ability > to write to the filesystem (another thing that should probably be > blocked as a matter of course, if the CF server and the database are > even on the same machine). > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354270 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
