> We've noticed the following error in our logs recurring recently:
>
> "Error","TID=618","02/02/01","22:04:23","24.114.162.188","",
> "Invalid Request of CFDOCS\EXAMPLEAPP\EMAIL\APPLICATION.CFM
> File You have requested a template with the name APPLICATION.CFM
> or ONREQUESTEND.CFM. These file names are reserved by the
> ColdFusion engine for the specification of application level
> settings and therefore cannot be directly requested from a web
> client.If you are creating a template which is intended for
> direct access by end users you should use a name other than
> APPLICATION.CFM or ONREQUESTEND.CFM."
>
> I remember reading about the above applications allowing
> hackers to change data sources and such. Does anybody have
> any more information? Or perhaps some remedies?
If your server is publicly available, you shouldn't have a CFDOCS directory,
as you shouldn't have installed documentation and examples. If you do have
those on there, remove them immediately. While you're at it, if you're
running IIS, make sure you don't have sample code, unnecessary ISAPI
extensions, etc. for that. As for people accessing application.cfm and
onrequestend.cfm directly, there isn't a huge amount of harm, as CF will
return the message you've noticed in your logs, rather than executing any
code.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
