RE: Allaire ColdFusion Sample Script DoS Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Notice the workaround... "You should remove the CFDOCS directory. In a typical installation, that directory resides at: {webroot}/CFDOCS/" Anyone that has the sample scripts on their production CF box should be flogged anyway This isn't a ColdFusion Vulnerability as much as it is an administration issue. Aaron Johnson, MCSE, MCP+I MINDSEYE, Inc. phn617.350.0339 fax949.350.8884 icq66172567 [EMAIL PROTECTED] ___ "Never forget that only dead fish swim with the stream." -- Malcolm Muggeridge ___ - -Original Message- From: Robert Everland [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 13, 2000 12:51 PM To: CF-Talk Subject: Allaire ColdFusion Sample Script DoS Vulnerability http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2094 Robert Everland III Web Developer Dixon Ticonderoga ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Allaire ColdFusion Sample Script DoS Vulnerability
Subject: Allaire ColdFusion Sample Script DoS Vulnerability This is kind of silly. It's a sample script exploit. You should never install sample scripts onto any production server. Period. If you do, bad things can happen to you. In fact, by default, I think that CF doesn't even install sample scripts any more, unless you tell it to during the install process. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Allaire ColdFusion Sample Script DoS Vulnerability
Ancient History. Remove Docs and Sample Apps. If I remember correctly, this was corrected with the release of 4.0.1 Heath -Original Message- From: Robert Everland [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 13, 2000 12:51 PM To: CF-Talk Subject: Allaire ColdFusion Sample Script DoS Vulnerability http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2094 Robert Everland III Web Developer Dixon Ticonderoga ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Allaire ColdFusion Sample Script DoS Vulnerability
This exploit should not effect most sites, considering sample code should not be installed on a production server in the first place. This goes back to other exploits that exist due to sample code that was installed by Allaire in previous versions. Jeff Sarsoun -Original Message- From: Robert Everland [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 13, 2000 12:51 PM To: CF-Talk Subject: Allaire ColdFusion Sample Script DoS Vulnerability http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2094 Robert Everland III Web Developer Dixon Ticonderoga ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Allaire ColdFusion Sample Script DoS Vulnerability
For those who fall victim to this .. *smack*! ;) Todd Ashworth -Original Message- http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2094 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Allaire ColdFusion Sample Script DoS Vulnerability
This exploit should not effect most sites This is not quite true. Sadly most sites have the sample files installed, which is why these things continue to be a problem. Heck AOL up until recently had the sample docs installed on one of their public sites. I know a major university that still has them installed on several servers. All you have to do is do an internet search for specific cfm files and you can find hundreds of sites. - Steve -Original Message- From: Jeff Sarsoun [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 13, 2000 2:59 PM To: CF-Talk Subject: RE: Allaire ColdFusion Sample Script DoS Vulnerability This exploit should not effect most sites, considering sample code should not be installed on a production server in the first place. This goes back to other exploits that exist due to sample code that was installed by Allaire in previous versions. Jeff Sarsoun -Original Message- From: Robert Everland [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 13, 2000 12:51 PM To: CF-Talk Subject: Allaire ColdFusion Sample Script DoS Vulnerability http://www.securityfocus.com/frames/?content=/vdb/%3Fid%3D2094 Robert Everland III Web Developer Dixon Ticonderoga ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists