One thing to note is that MS say and Allaire repeat that "the vulnerability
could only be exploited under extremely restrictive conditions, and the most
valuable data in the files would be the least likely to actually appear in
the fragments sent to the user."
It seems like it may be true for ASP files (is this due to the <%%> tags??)
but this clearly isn't true for CFML files. I guess to IIS CFML just looks
like plain HTML -- something to ignore.
So while this might be a minor security problem with ASP, it's a much bigger
one with CFML on Windows hosts.
<!--- <% --->
Interestingly, if you wrap these tags around your code, it fixes it! I don't
recommend anybody do this -- I just thought it was interesting....
<!--- %> --->
Regards,
Matthew Walker
Electric Sheep Web Co.
http://www.electricsheep.co.nz/
--
Tel +64-3-374 2137
Fax +64-3-377 7930
Mobile +25-605 5747
P O Box 13-907, Armagh
Christchurch 8031
New Zealand
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
