BTW...after applying the hot fixes from MS to our servers I was curious
about what exactly are *.htr files. MS mentioned something about them being
related to business application scripts? Anyone have definition of the .htr
extension?
Sincerely,
Shane Witbeck
Webmaster
mailto:[EMAIL PROTECTED]
www.digitalsanctum.com
-----Original Message-----
From: Matthew Walker [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 05, 2000 9:58 AM
To: [EMAIL PROTECTED]
Subject: RE: Security considerations with index.cfm
One thing to note is that MS say and Allaire repeat that "the vulnerability
could only be exploited under extremely restrictive conditions, and the most
valuable data in the files would be the least likely to actually appear in
the fragments sent to the user."
It seems like it may be true for ASP files (is this due to the <%%> tags??)
but this clearly isn't true for CFML files. I guess to IIS CFML just looks
like plain HTML -- something to ignore.
So while this might be a minor security problem with ASP, it's a much bigger
one with CFML on Windows hosts.
<!--- <% --->
Interestingly, if you wrap these tags around your code, it fixes it! I don't
recommend anybody do this -- I just thought it was interesting....
<!--- %> --->
Regards,
Matthew Walker
Electric Sheep Web Co.
http://www.electricsheep.co.nz/
--
Tel +64-3-374 2137
Fax +64-3-377 7930
Mobile +25-605 5747
P O Box 13-907, Armagh
Christchurch 8031
New Zealand
----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
