that's just wonderful. i love microsoft sometimes.
That doesn't seem to be a problem on one of my other servers,
this URL seems to work fine:
http://www.secretagents.com/index.cfm+.htr
On that server i just went to http://windowsupdate.microsoft.com and
installed all the security patches it said I needed. That site is
sweet.
Steve
"Douglas M. Smith" wrote:
>
> Hi Bert,
>
> Thanks for letting us know about this security hole in FuseBox.
>
> Do you know if this "+htr" bug a feature of CF server in general or FuseBox code in
>particular?
>
> I am guessing that it is probably related to using the thistag.generatedcontent in
>the <CF_BODYCONTENT> tag. But a lot of CF web sites use this feature of CF. If so,
>it probably should be considered a general CF security hole.
>
> At 11:08 AM 8/4/00 +0100, you wrote:
> >By adding +.htr to the URL you get a blank screen, then press refresh and
> >the source appears.
> >
> >eg http://www.fusebox.org/index.cfm+.htr
> >
> >see http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full for
> >details of fix
> >
> >Bert Dawson
> >
> >ps apologies to any embarassment to fusebox.org, but I figure they probably
> >removed the fix when they decided to release the source
> >:)
> >
> >> -----Original Message-----
> >> From: BOROVOY Noam [mailto:[EMAIL PROTECTED]]
> >> Sent: 21 July 2000 08:35
> >> To: '[EMAIL PROTECTED]'
> >> Subject: RE: Security considerations with index.cfm
> >>
> >>
> >> Alan,
> >> The only thing you need to worry about regarding source code
> >> "leakage" is
> >> that the server somehow be fooled into handing it out without
> >> passing it
> >> first to Cold Fusion:
> >> 1.With IIS 4 - using the :$$DATA (see Allaire security bulletins)
> >> 2.With sp 6 adding on a .htm on the end of the URL might
> >> confuse things
> >> (not sure about this...)
> >> 3. By any other of the many undocumented features (i.e. bugs ;-)
> >>
> >> So do what you can, and don't worry about what you can't...
> >> HTH,
> >> Noam
> >>
> >> ----------
> >> From: McCollough, Alan [SMTP:[EMAIL PROTECTED]]
> >> Sent: Thursday, 20 July 2000 17:43
> >> To: '[EMAIL PROTECTED]'
> >> Subject: Security considerations with index.cfm
> >>
> >> I was pondering the following thought this morning...
> >>
> >> Thinking about security and Fusebox.
> >> Thinking that if somebody wanted to discern all of your
> >> CFINCLUDEd
> >> templates, all they need is a source view of index.cfm,
> >> which they
> >> could get
> >> easily by constructing their own page and (for Windows folks)
> >> right-clicking
> >> on the hyperlink to save the code locally, as in:
> >> <a href="www.foo.com/index.cfm">I'm gonna steal your code</a>
> >> Then they could read the code, and by using the same
> >> technique as
> >> above,
> >> ultimately get all of your source code.
> >>
> >> Having never used CFCRYPT before, would it be an
> >> acceptible/worthwile
> >> measure to CFCRYPT index.cfm, thus preventing exposure
> >> of underlying
> >> CF
> >> templates?
> >>
> >> Alan McCollough
> >> Web Programmer
> >> Alaska Native Medical Center
> >>
> >> --------------------------------------------------------------
> >> --------------
> >> --
> >> To Unsubscribe visit
> >> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=list
> >s/fusebox or
> >send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> >the body.
> >----------------------------------------------------------------------------
> >--
> >To Unsubscribe visit
> >http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> >send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> >the body.
> >------------------------------------------------------------------------------
> >To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
>
> ====================================================
> Douglas M. Smith - Database Architect/Web Integration Specialist
> ====================================================
> TeraTech Inc - Tools for Programmers(tm)
> VisualBasic, Web (ColdFusion and ASP), Math and Statistics,
> Access, SQL, programming tools & consulting
> 100 Park Ave, Suite 360, Rockville MD 20850 USA
> Voice: 301-424-3903, Fax: 301-762-8185
> http://www.teratech.com
> ====================================================
> Email: [EMAIL PROTECTED]
> Mobil/Cell Phone: (240) 601-5520
> ICQ: 41044319
> ====================================================
> Do you need a group calendar or scheduler?
> How about a free ColdFusion Tag and Function Reference?
> Go to http://www.teratech.com/freestuff.cfm
> ====================================================
>
> ------------------------------------------------------------------------------
> To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
