| Thanks Hugo; | So it seems like the security vulnerability is caused primarily by not | thinking about every possibility in your servlet config | (cfm,Cfm,CFm,CFM,cFM,cfM,cFm)... did I miss any other 3-letter ones? | IOW, while the web server is case-insensitive - the J2EE container | config is still not.
It is also if you are trying to block files through some kinds of rules, e.g. .cvsignore .htaccess etc | On 5/14/2012 1:21 PM, Hugo Ahlenius wrote: | > You may have to be careful so that the handling and rules matches | different | > scenarios. If you have set up the cfml handler to process files named | > '.cfm', what happens when there is a request for a cFm file. If the | handler | > is not processing the file, and the file system is not case sensitive | (e.g. | > windows) then that file might be served as text instead - giving the | > client/attacker full access to your source code. | | -- | online documentation: http://openbd.org/manual/ | google+ hints/tips: https://plus.google.com/115990347459711259462 | http://groups.google.com/group/openbd?hl=en -- online documentation: http://openbd.org/manual/ google+ hints/tips: https://plus.google.com/115990347459711259462 http://groups.google.com/group/openbd?hl=en
