OUCH!
http://devex.allaire.com/developer/gallery/index.cfm+.htr
At 01:23 PM 8/4/2000 -0400, you wrote:
>I just tried this on a fusedoc not using <cf_BodyContent> and still saw all
>the source code. Tried it on fusebox.org and saw the source code ... tried
>on allaire's site and no source code ... also tried it on a site we have
>running AbleCommerce and saw the source code.
>
>-----Original Message-----
>From: Douglas M. Smith [mailto:[EMAIL PROTECTED]]
>Sent: Friday, August 04, 2000 12:58 PM
>To: [EMAIL PROTECTED]
>Subject: RE: Security considerations with index.cfm
>
>
>Hi Bert,
>
>Thanks for letting us know about this security hole in FuseBox.
>
>Do you know if this "+htr" bug a feature of CF server in general or FuseBox
>code in particular?
>
>I am guessing that it is probably related to using the
>thistag.generatedcontent in the <CF_BODYCONTENT> tag. But a lot of CF web
>sites use this feature of CF. If so, it probably should be considered a
>general CF security hole.
>
>
>At 11:08 AM 8/4/00 +0100, you wrote:
> >By adding +.htr to the URL you get a blank screen, then press refresh and
> >the source appears.
> >
> >eg http://www.fusebox.org/index.cfm+.htr
> >
> >see http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full for
> >details of fix
> >
> >Bert Dawson
> >
> >ps apologies to any embarassment to fusebox.org, but I figure they probably
> >removed the fix when they decided to release the source
> >:)
> >
> >> -----Original Message-----
> >> From: BOROVOY Noam [mailto:[EMAIL PROTECTED]]
> >> Sent: 21 July 2000 08:35
> >> To: '[EMAIL PROTECTED]'
> >> Subject: RE: Security considerations with index.cfm
> >>
> >>
> >> Alan,
> >> The only thing you need to worry about regarding source code
> >> "leakage" is
> >> that the server somehow be fooled into handing it out without
> >> passing it
> >> first to Cold Fusion:
> >> 1.With IIS 4 - using the :$$DATA (see Allaire security bulletins)
> >> 2.With sp 6 adding on a .htm on the end of the URL might
> >> confuse things
> >> (not sure about this...)
> >> 3. By any other of the many undocumented features (i.e. bugs ;-)
> >>
> >> So do what you can, and don't worry about what you can't...
> >> HTH,
> >> Noam
> >>
> >> ----------
> >> From: McCollough, Alan [SMTP:[EMAIL PROTECTED]]
> >> Sent: Thursday, 20 July 2000 17:43
> >> To: '[EMAIL PROTECTED]'
> >> Subject: Security considerations with index.cfm
> >>
> >> I was pondering the following thought this morning...
> >>
> >> Thinking about security and Fusebox.
> >> Thinking that if somebody wanted to discern all of your
> >> CFINCLUDEd
> >> templates, all they need is a source view of index.cfm,
> >> which they
> >> could get
> >> easily by constructing their own page and (for Windows folks)
> >> right-clicking
> >> on the hyperlink to save the code locally, as in:
> >> <a href="www.foo.com/index.cfm">I'm gonna steal your code</a>
> >> Then they could read the code, and by using the same
> >> technique as
> >> above,
> >> ultimately get all of your source code.
> >>
> >> Having never used CFCRYPT before, would it be an
> >> acceptible/worthwile
> >> measure to CFCRYPT index.cfm, thus preventing exposure
> >> of underlying
> >> CF
> >> templates?
> >>
> >> Alan McCollough
> >> Web Programmer
> >> Alaska Native Medical Center
> >>
> >> --------------------------------------------------------------
> >> --------------
> >> --
> >> To Unsubscribe visit
> >> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=list
> >s/fusebox or
> >send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> >the body.
> >---------------------------------------------------------------------------
>-
> >--
> >To Unsubscribe visit
> >http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> >send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> >the body.
> >---------------------------------------------------------------------------
>---
> >To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
>
>
>====================================================
>Douglas M. Smith - Database Architect/Web Integration Specialist
>====================================================
>TeraTech Inc - Tools for Programmers(tm)
>VisualBasic, Web (ColdFusion and ASP), Math and Statistics,
>Access, SQL, programming tools & consulting
>100 Park Ave, Suite 360, Rockville MD 20850 USA
>Voice: 301-424-3903, Fax: 301-762-8185
>http://www.teratech.com
>====================================================
>Email: [EMAIL PROTECTED]
>Mobil/Cell Phone: (240) 601-5520
>ICQ: 41044319
>====================================================
>Do you need a group calendar or scheduler?
>How about a free ColdFusion Tag and Function Reference?
>Go to http://www.teratech.com/freestuff.cfm
>====================================================
>
>----------------------------------------------------------------------------
>--
>To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
>
>------------------------------------------------------------------------------
>To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
-------------------------------------------------------------
Transfer Online, Inc.
227 SW Pine Street, Suite 300
Portland, OR 97204
[P] 503.227.2950 [F] 503.227.6874
[W] www.transferonline.com [E] [EMAIL PROTECTED]
Personal Contact:
Dave DeVol
[E] [EMAIL PROTECTED]
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
