By adding +.htr to the URL you get a blank screen, then press refresh and
the source appears.
eg http://www.fusebox.org/index.cfm+.htr
see http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full for
details of fix
Bert Dawson
ps apologies to any embarassment to fusebox.org, but I figure they probably
removed the fix when they decided to release the source
:)
> -----Original Message-----
> From: BOROVOY Noam [mailto:[EMAIL PROTECTED]]
> Sent: 21 July 2000 08:35
> To: '[EMAIL PROTECTED]'
> Subject: RE: Security considerations with index.cfm
>
>
> Alan,
> The only thing you need to worry about regarding source code
> "leakage" is
> that the server somehow be fooled into handing it out without
> passing it
> first to Cold Fusion:
> 1.With IIS 4 - using the :$$DATA (see Allaire security bulletins)
> 2.With sp 6 adding on a .htm on the end of the URL might
> confuse things
> (not sure about this...)
> 3. By any other of the many undocumented features (i.e. bugs ;-)
>
> So do what you can, and don't worry about what you can't...
> HTH,
> Noam
>
> ----------
> From: McCollough, Alan [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, 20 July 2000 17:43
> To: '[EMAIL PROTECTED]'
> Subject: Security considerations with index.cfm
>
> I was pondering the following thought this morning...
>
> Thinking about security and Fusebox.
> Thinking that if somebody wanted to discern all of your
> CFINCLUDEd
> templates, all they need is a source view of index.cfm,
> which they
> could get
> easily by constructing their own page and (for Windows folks)
> right-clicking
> on the hyperlink to save the code locally, as in:
> <a href="www.foo.com/index.cfm">I'm gonna steal your code</a>
> Then they could read the code, and by using the same
> technique as
> above,
> ultimately get all of your source code.
>
> Having never used CFCRYPT before, would it be an
> acceptible/worthwile
> measure to CFCRYPT index.cfm, thus preventing exposure
> of underlying
> CF
> templates?
>
> Alan McCollough
> Web Programmer
> Alaska Native Medical Center
>
> --------------------------------------------------------------
> --------------
> --
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=list
s/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
