I just tried this on a fusedoc not using <cf_BodyContent> and still saw all
the source code. Tried it on fusebox.org and saw the source code ... tried
on allaire's site and no source code ... also tried it on a site we have
running AbleCommerce and saw the source code.
-----Original Message-----
From: Douglas M. Smith [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 04, 2000 12:58 PM
To: [EMAIL PROTECTED]
Subject: RE: Security considerations with index.cfm
Hi Bert,
Thanks for letting us know about this security hole in FuseBox.
Do you know if this "+htr" bug a feature of CF server in general or FuseBox
code in particular?
I am guessing that it is probably related to using the
thistag.generatedcontent in the <CF_BODYCONTENT> tag. But a lot of CF web
sites use this feature of CF. If so, it probably should be considered a
general CF security hole.
At 11:08 AM 8/4/00 +0100, you wrote:
>By adding +.htr to the URL you get a blank screen, then press refresh and
>the source appears.
>
>eg http://www.fusebox.org/index.cfm+.htr
>
>see http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full for
>details of fix
>
>Bert Dawson
>
>ps apologies to any embarassment to fusebox.org, but I figure they probably
>removed the fix when they decided to release the source
>:)
>
>> -----Original Message-----
>> From: BOROVOY Noam [mailto:[EMAIL PROTECTED]]
>> Sent: 21 July 2000 08:35
>> To: '[EMAIL PROTECTED]'
>> Subject: RE: Security considerations with index.cfm
>>
>>
>> Alan,
>> The only thing you need to worry about regarding source code
>> "leakage" is
>> that the server somehow be fooled into handing it out without
>> passing it
>> first to Cold Fusion:
>> 1.With IIS 4 - using the :$$DATA (see Allaire security bulletins)
>> 2.With sp 6 adding on a .htm on the end of the URL might
>> confuse things
>> (not sure about this...)
>> 3. By any other of the many undocumented features (i.e. bugs ;-)
>>
>> So do what you can, and don't worry about what you can't...
>> HTH,
>> Noam
>>
>> ----------
>> From: McCollough, Alan [SMTP:[EMAIL PROTECTED]]
>> Sent: Thursday, 20 July 2000 17:43
>> To: '[EMAIL PROTECTED]'
>> Subject: Security considerations with index.cfm
>>
>> I was pondering the following thought this morning...
>>
>> Thinking about security and Fusebox.
>> Thinking that if somebody wanted to discern all of your
>> CFINCLUDEd
>> templates, all they need is a source view of index.cfm,
>> which they
>> could get
>> easily by constructing their own page and (for Windows folks)
>> right-clicking
>> on the hyperlink to save the code locally, as in:
>> <a href="www.foo.com/index.cfm">I'm gonna steal your code</a>
>> Then they could read the code, and by using the same
>> technique as
>> above,
>> ultimately get all of your source code.
>>
>> Having never used CFCRYPT before, would it be an
>> acceptible/worthwile
>> measure to CFCRYPT index.cfm, thus preventing exposure
>> of underlying
>> CF
>> templates?
>>
>> Alan McCollough
>> Web Programmer
>> Alaska Native Medical Center
>>
>> --------------------------------------------------------------
>> --------------
>> --
>> To Unsubscribe visit
>> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=list
>s/fusebox or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
>---------------------------------------------------------------------------
-
>--
>To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
>---------------------------------------------------------------------------
---
>To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
====================================================
Douglas M. Smith - Database Architect/Web Integration Specialist
====================================================
TeraTech Inc - Tools for Programmers(tm)
VisualBasic, Web (ColdFusion and ASP), Math and Statistics,
Access, SQL, programming tools & consulting
100 Park Ave, Suite 360, Rockville MD 20850 USA
Voice: 301-424-3903, Fax: 301-762-8185
http://www.teratech.com
====================================================
Email: [EMAIL PROTECTED]
Mobil/Cell Phone: (240) 601-5520
ICQ: 41044319
====================================================
Do you need a group calendar or scheduler?
How about a free ColdFusion Tag and Function Reference?
Go to http://www.teratech.com/freestuff.cfm
====================================================
----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
