The patch is muy simple to install. Just click the link
http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
find the MS site and the download via the link and install it. Easy fix.
Nat Papovich
ICQ 32676414
"Whatever you do may seem insignificant,
but it is most important that you do it." -M. Gandhi
-----Original Message-----
From: Kevin Bridges [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 04, 2000 10:24 AM
To: [EMAIL PROTECTED]
Subject: RE: Security considerations with index.cfm
I just tried this on a fusedoc not using <cf_BodyContent> and still saw all
the source code. Tried it on fusebox.org and saw the source code ... tried
on allaire's site and no source code ... also tried it on a site we have
running AbleCommerce and saw the source code.
-----Original Message-----
From: Douglas M. Smith [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 04, 2000 12:58 PM
To: [EMAIL PROTECTED]
Subject: RE: Security considerations with index.cfm
Hi Bert,
Thanks for letting us know about this security hole in FuseBox.
Do you know if this "+htr" bug a feature of CF server in general or FuseBox
code in particular?
I am guessing that it is probably related to using the
thistag.generatedcontent in the <CF_BODYCONTENT> tag. But a lot of CF web
sites use this feature of CF. If so, it probably should be considered a
general CF security hole.
At 11:08 AM 8/4/00 +0100, you wrote:
>By adding +.htr to the URL you get a blank screen, then press refresh and
>the source appears.
>
>eg http://www.fusebox.org/index.cfm+.htr
>
>see http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full for
>details of fix
>
>Bert Dawson
>
>ps apologies to any embarassment to fusebox.org, but I figure they probably
>removed the fix when they decided to release the source
>:)
>
>> -----Original Message-----
>> From: BOROVOY Noam [mailto:[EMAIL PROTECTED]]
>> Sent: 21 July 2000 08:35
>> To: '[EMAIL PROTECTED]'
>> Subject: RE: Security considerations with index.cfm
>>
>>
>> Alan,
>> The only thing you need to worry about regarding source code
>> "leakage" is
>> that the server somehow be fooled into handing it out without
>> passing it
>> first to Cold Fusion:
>> 1.With IIS 4 - using the :$$DATA (see Allaire security bulletins)
>> 2.With sp 6 adding on a .htm on the end of the URL might
>> confuse things
>> (not sure about this...)
>> 3. By any other of the many undocumented features (i.e. bugs ;-)
>>
>> So do what you can, and don't worry about what you can't...
>> HTH,
>> Noam
>>
>> ----------
>> From: McCollough, Alan [SMTP:[EMAIL PROTECTED]]
>> Sent: Thursday, 20 July 2000 17:43
>> To: '[EMAIL PROTECTED]'
>> Subject: Security considerations with index.cfm
>>
>> I was pondering the following thought this morning...
>>
>> Thinking about security and Fusebox.
>> Thinking that if somebody wanted to discern all of your
>> CFINCLUDEd
>> templates, all they need is a source view of index.cfm,
>> which they
>> could get
>> easily by constructing their own page and (for Windows folks)
>> right-clicking
>> on the hyperlink to save the code locally, as in:
>> <a href="www.foo.com/index.cfm">I'm gonna steal your code</a>
>> Then they could read the code, and by using the same
>> technique as
>> above,
>> ultimately get all of your source code.
>>
>> Having never used CFCRYPT before, would it be an
>> acceptible/worthwile
>> measure to CFCRYPT index.cfm, thus preventing exposure
>> of underlying
>> CF
>> templates?
>>
>> Alan McCollough
>> Web Programmer
>> Alaska Native Medical Center
>>
>> --------------------------------------------------------------
>> --------------
>> --
>> To Unsubscribe visit
>> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=list
>s/fusebox or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
>---------------------------------------------------------------------------
-
>--
>To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
>---------------------------------------------------------------------------
---
>To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
====================================================
Douglas M. Smith - Database Architect/Web Integration Specialist
====================================================
TeraTech Inc - Tools for Programmers(tm)
VisualBasic, Web (ColdFusion and ASP), Math and Statistics,
Access, SQL, programming tools & consulting
100 Park Ave, Suite 360, Rockville MD 20850 USA
Voice: 301-424-3903, Fax: 301-762-8185
http://www.teratech.com
====================================================
Email: [EMAIL PROTECTED]
Mobil/Cell Phone: (240) 601-5520
ICQ: 41044319
====================================================
Do you need a group calendar or scheduler?
How about a free ColdFusion Tag and Function Reference?
Go to http://www.teratech.com/freestuff.cfm
====================================================
----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
