RE: Security considerations with index.cfm

Scott Talsma Sat, 05 Aug 2000 08:30:25 -0700
I had a look at the MS site, along with the recommended security guidelines.
The HTR seems like an extension for letting users change their passwords
through a web-browser.  We simply have eliminated all these "feature"
extensions from our webservers, installing them one-by-one only on webs that
need the feature.  Is there anyone who is using this "feature?"

Mit freundlichen Gr��en

Scott Talsma
team in medias GmbH
0241-470336-25
http://www.inmedias.de
http://e-commerce.inmedias.de
http://beratung.inmedias.de

***************************
Unsere aktuellen Projekte

mit Kurzerl�uterung:
http://www.inmedias.de/referenz

oder direkt:
http://www.misereor.de
http://www.designermode.com
http://www.debeka.de
http://www.nesseler.de
****************************


-----Original Message-----
From: Shane Witbeck [mailto:[EMAIL PROTECTED]]
Sent: Samstag, 5. August 2000 16:20
To: [EMAIL PROTECTED]
Subject: RE: Security considerations with index.cfm


BTW...after applying the hot fixes from MS to our servers I was curious
about what exactly are *.htr files. MS mentioned something about them being
related to business application scripts? Anyone have definition of the .htr
extension?

Sincerely,

Shane Witbeck
Webmaster
mailto:[EMAIL PROTECTED]
www.digitalsanctum.com




-----Original Message-----
From: Matthew Walker [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 05, 2000 9:58 AM
To: [EMAIL PROTECTED]
Subject: RE: Security considerations with index.cfm


One thing to note is that MS say and Allaire repeat that "the vulnerability
could only be exploited under extremely restrictive conditions, and the most
valuable data in the files would be the least likely to actually appear in
the fragments sent to the user."

It seems like it may be true for ASP files (is this due to the <%%> tags??)
but this clearly isn't true for CFML files. I guess to IIS CFML just looks
like plain HTML -- something to ignore.

So while this might be a minor security problem with ASP, it's a much bigger
one with CFML on Windows hosts.

<!--- <% --->
Interestingly, if you wrap these tags around your code, it fixes it! I don't
recommend anybody do this -- I just thought it was interesting....
<!--- %> --->

Regards,
Matthew Walker
Electric Sheep Web Co.
http://www.electricsheep.co.nz/

--
Tel +64-3-374 2137
Fax +64-3-377 7930
Mobile +25-605 5747
P O Box 13-907, Armagh
Christchurch 8031
New Zealand

----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

------------------------------------------------------------------------------
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security considerations with index.cfm

Reply via email to
