--------------5B84C38682782576A6108B37
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Tried it out; according to the security bulletin, this is an IIS bug. Tried on
non-IIS site, and didn't see it; tried on an IIS server, on a number of both CF *and*
ASP pages, and
got the source of each of them.
The Allaire security bulletin has a link to a Microsoft article with the patch to IIS.
gotta love MS :)
-- David Lakein
Bert Dawson wrote:
> By adding +.htr to the URL you get a blank screen, then press refresh and
> the source appears.
>
> eg http://www.fusebox.org/index.cfm+.htr
>
> see http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full for
> details of fix
>
> Bert Dawson
>
> ps apologies to any embarassment to fusebox.org, but I figure they probably
> removed the fix when they decided to release the source
> :)
>
> > -----Original Message-----
> > From: BOROVOY Noam [mailto:[EMAIL PROTECTED]]
> > Sent: 21 July 2000 08:35
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: Security considerations with index.cfm
> >
> >
> > Alan,
> > The only thing you need to worry about regarding source code
> > "leakage" is
> > that the server somehow be fooled into handing it out without
> > passing it
> > first to Cold Fusion:
> > 1.With IIS 4 - using the :$$DATA (see Allaire security bulletins)
> > 2.With sp 6 adding on a .htm on the end of the URL might
> > confuse things
> > (not sure about this...)
> > 3. By any other of the many undocumented features (i.e. bugs ;-)
> >
> > So do what you can, and don't worry about what you can't...
> > HTH,
> > Noam
> >
> > ----------
> > From: McCollough, Alan [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, 20 July 2000 17:43
> > To: '[EMAIL PROTECTED]'
> > Subject: Security considerations with index.cfm
> >
> > I was pondering the following thought this morning...
> >
> > Thinking about security and Fusebox.
> > Thinking that if somebody wanted to discern all of your
> > CFINCLUDEd
> > templates, all they need is a source view of index.cfm,
> > which they
> > could get
> > easily by constructing their own page and (for Windows folks)
> > right-clicking
> > on the hyperlink to save the code locally, as in:
> > <a href="www.foo.com/index.cfm">I'm gonna steal your code</a>
> > Then they could read the code, and by using the same
> > technique as
> > above,
> > ultimately get all of your source code.
> >
> > Having never used CFCRYPT before, would it be an
> > acceptible/worthwile
> > measure to CFCRYPT index.cfm, thus preventing exposure
> > of underlying
> > CF
> > templates?
> >
> > Alan McCollough
> > Web Programmer
> > Alaska Native Medical Center
> >
> > --------------------------------------------------------------
> > --------------
> > --
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=list
> s/fusebox or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
> ----------------------------------------------------------------------------
> --
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
> ------------------------------------------------------------------------------
> To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
--
============================================================
David Lakein -- ColdFusion, Visual Basic, Math+Statistics programmer
TeraTech Inc. - Tools for Programmers(tm)
100 Park Ave, Suite 360, Rockville MD 20850 USA
Voice: +1-301-424-3903, Fax:301-762-8185
ICQ 46062028
Web: http://www.teratech.com
Email: mailto:[EMAIL PROTECTED]
============================================================
--------------5B84C38682782576A6108B37
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Tried it out; according to the security bulletin, this is an IIS bug.
Tried on non-IIS site, and didn't see it; tried on an IIS server, on a
number of both CF *and* ASP pages, and got the source of each of them.
<p>The Allaire security bulletin has a link to a Microsoft article with
the patch to IIS.
<p>gotta love MS :)
<p>-- David Lakein
<p>Bert Dawson wrote:
<blockquote TYPE=CITE>By adding +.htr to the URL you get a blank screen,
then press refresh and
<br>the source appears.
<p>eg <a
href="http://www.fusebox.org/index.cfm+.htr">http://www.fusebox.org/index.cfm+.htr</a>
<p>see <a
href="http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full">http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full</a>
for
<br>details of fix
<p>Bert Dawson
<p>ps apologies to any embarassment to fusebox.org, but I figure they probably
<br>removed the fix when they decided to release the source
<br>:)
<p>> -----Original Message-----
<br>> From: BOROVOY Noam [<a
href="mailto:[EMAIL PROTECTED]">mailto:[EMAIL PROTECTED]</a>]
<br>> Sent: 21 July 2000 08:35
<br>> To: '[EMAIL PROTECTED]'
<br>> Subject: RE: Security considerations with index.cfm
<br>>
<br>>
<br>> Alan,
<br>> The only thing you need to worry about regarding source code
<br>> "leakage" is
<br>> that the server somehow be fooled into handing it out without
<br>> passing it
<br>> first to Cold Fusion:
<br>> 1.With IIS 4 - using the :$$DATA (see Allaire security bulletins)
<br>> 2.With sp 6 adding on a .htm on the end of the URL might
<br>> confuse things
<br>> (not sure about this...)
<br>> 3. By any other of the many undocumented features (i.e. bugs ;-)
<br>>
<br>> So do what you can, and don't worry about what you can't...
<br>> HTH,
<br>> Noam
<br>>
<br>> ----------
<br>> From: McCollough, Alan
[SMTP:[EMAIL PROTECTED]]
<br>> Sent: Thursday, 20 July
2000 17:43
<br>> To: '[EMAIL PROTECTED]'
<br>> Subject: Security considerations
with index.cfm
<br>>
<br>> I was pondering the following
thought this morning...
<br>>
<br>> Thinking about security and Fusebox.
<br>> Thinking that if somebody wanted
to discern all of your
<br>> CFINCLUDEd
<br>> templates, all they need is a
source view of index.cfm,
<br>> which they
<br>> could get
<br>> easily by constructing their
own page and (for Windows folks)
<br>> right-clicking
<br>> on the hyperlink to save the
code locally, as in:
<br>> <a href="www.foo.com/index.cfm">I'm
gonna steal your code</a>
<br>> Then they could read the code,
and by using the same
<br>> technique as
<br>> above,
<br>> ultimately get all of your source
code.
<br>>
<br>> Having never used CFCRYPT before,
would it be an
<br>> acceptible/worthwile
<br>> measure to CFCRYPT index.cfm,
thus preventing exposure
<br>> of underlying
<br>> CF
<br>> templates?
<br>>
<br>> Alan McCollough
<br>> Web Programmer
<br>> Alaska Native Medical Center
<br>>
<br>> --------------------------------------------------------------
<br>> --------------
<br>> --
<br>> To Unsubscribe visit
<br>> <a
href="http://www.houseoffusion.com/index.cfm?sidebar=lists&body=list">http://www.houseoffusion.com/index.cfm?sidebar=lists&body=list</a>
<br>s/fusebox or
<br>send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
<br>the body.
<br>----------------------------------------------------------------------------
<br>--
<br>To Unsubscribe visit
<br><a
href="http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox">http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox</a>
or
<br>send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
<br>the body.
<br>------------------------------------------------------------------------------
<br>To Unsubscribe visit <a
href="http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox">http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox</a>
or send a message to [EMAIL PROTECTED] with 'unsubscribe'
in the body.</blockquote>
<p>--
<br>============================================================
<br>David Lakein -- ColdFusion, Visual Basic, Math+Statistics programmer
<br>TeraTech Inc. - Tools for Programmers(tm)
<br>100 Park Ave, Suite 360, Rockville MD 20850 USA
<br>Voice: +1-301-424-3903, Fax:301-762-8185
<br>ICQ 46062028
<br>Web: <A HREF="http://www.teratech.com">http://www.teratech.com</A>
<br>Email: <A HREF="mailto:[EMAIL PROTECTED]">mailto:[EMAIL PROTECTED]</A>
<br>============================================================
<br> </html>
--------------5B84C38682782576A6108B37--
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
