> Your comments raise a simple question:
>
> > 2. Remove the right to read files from whatever user the CF server is
> > running as (typically SYSTEM). All CF needs to be able to do
> > is execute.
>
> I presume this will not affect reading the contents of a file with
> cffile/read ??
No, I'd gue
>
To: <[EMAIL PROTECTED]>
Subject: Re: Allaire security problem - anyone know solution?
Message-ID: <00f601bffdc7$0caa9b90$7b1610cf@desktop>
Allaire security bulletin says
Originally Posted: May 22, 2000
Last Updated: May 22, 2000
Why are we just finding out that our entire Serve
--
>From: Dave Wilson [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, August 03, 2000 12:27 PM
>To: [EMAIL PROTECTED]
>Subject: Allaire security problem - anyone know solution?
>
>
>Hi all,
>
>One of my hosting clients has just made me aware of this major security
&
(CIT) [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 04, 2000 10:11 AM
To: [EMAIL PROTECTED]
Subject: RE: Allaire security problem - anyone know solution?
As usual, no problem with O'Reilly WebSite Pro here.
>anyone know solution?
Yes ... for starters it can be found here
http://websit
r System Services
-Original Message-
From: Steve Pierce [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 9:14 PM
To: [EMAIL PROTECTED]
Subject: RE: Allaire security problem - anyone know solution?
Problem doesn't seem to impact O'Reilly Website servers, only IIS.
- S
ECTED]
- Original Message -
From: pan <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 04, 2000 10:23 AM
Subject: IIS security problem -- not Allaire security problem - anyone know
solution?
> It seems fairly clear that the subject line of this thread needed
> c
It seems fairly clear that the subject line of this thread needed
changing.
Can anyone show the .htr vulnerability on a server other than IIS?
Pan
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To
August 2000 19:10
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?
Wow, that's ugly. You don't even need to do the refresh, just view the
source of the page and it is right there. It only seems to work if you know
the directory where appli
EMAIL PROTECTED]
Subject: RE: Allaire security problem - anyone know solution?
You're kidding, right?
http://devex.allaire.com/developer/gallery/info.cfm?ID=B61C031D-2CE5-11D4-83
D700508B94F85A&method=Full
http://www.rixsoft.com/ColdFusion/CFX/CFMEncrypt/
http://packetstorm.se
n one basket. Or, in this case, all of
their faith in a broken system.)
-Rick
-Original Message-
From: Johan Coens [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 04, 2000 3:46 AM
To: [EMAIL PROTECTED]
Subject: RE: Allaire security problem - anyone know solution?
One easy solution to do
One easy solution to do:
CFENCRYPT it
-Original Message-
From: Mooner Ent [mailto:[EMAIL PROTECTED]]
Sent: vrijdag 4 augustus 2000 5:50
To: [EMAIL PROTECTED]
Subject: Re: Allaire security problem - anyone know solution?
Allaire security bulletin says
Originally Posted: May 22, 2000
.
- Original Message -
From: "Daniel J. Cody" <[EMAIL PROTECTED]>
Newsgroups: cf-talk
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 9:46 AM
Subject: Re: Allaire security problem - anyone know solution?
> Dave, I wasn't able to reproduce this on CF 4.5.1 on Linu
Its in a CFQuery, so its just passing the command to whatever the dsn points to.
[EMAIL PROTECTED] wrote:
> > Please see:
> >
> > http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
>
> And then *really* see http://beta.allaire.com/login.cfm+.htr. They should eat their
>own d
:05 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?
I can't reproduce your results on any of the 3 systems I tried, including
Allaire's site. Do you have any more information?
> -Original Message-
> From: Dave Wil
n O'Keefe
> TriPoint Technologies
> [EMAIL PROTECTED]
> 954.501.3113
>
> -> -Original Message-
> -> From: Dave Wilson [mailto:[EMAIL PROTECTED]]
> -> Sent: Thursday, August 03, 2000 11:27 AM
> -> To: [EMAIL PROTECTED]
> -> Subject: Allaire sec
AIL PROTECTED]]
Sent: Thursday, August 03, 2000 4:44 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?
http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thu
IL PROTECTED]>
Sent: Thursday, August 03, 2000 2:09 PM
Subject: RE: Allaire security problem - anyone know solution?
> It also doesn't appear to work with other .cfm files.
> Hi all,
>
> One of my hosting clients has just made me aware of this major security
> problem and I'
From: "Jonathan Broome" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 3:36 PM
Subject: RE: Allaire security problem - anyone know solution?
>
> On my sites using SP6a, I couldn't get this to work. On other sites, I
> could. Unless som
ts, Jesse D" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 12:05 PM
Subject: RE: Allaire security problem - anyone know solution?
> I can't reproduce your results on any of the 3 systems I tried, including
> Allaire's site. Do you h
On Thu, 03 Aug 2000, Dave Wilson spewed forth into the void:
> Hi all,
>
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF site with +.htr appended
> to
TECTED]'
Subject: RE: Allaire security problem - anyone know solution?
Wow, that's ugly. You don't even need to do the refresh, just view the
source of the page and it is right there. It only seems to work if you know
the directory where application.cfm exists. If you are operatin
> Please see:
>
> http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
And then *really* see http://beta.allaire.com/login.cfm+.htr. They should eat their
own dogfood, so to speak.
BTW, what's up with this from that page:
{CALL ValidateUser('#Form.UserName#', '#Form.Passwo
st 03, 2000 11:27 AM
>-> To: [EMAIL PROTECTED]
>-> Subject: Allaire security problem - anyone know solution?
>->
>->
>-> Hi all,
>->
>-> One of my hosting clients has just made me aware of this major security
>-> problem and I'm wondering if a
At 01:40 PM 8/3/00 , you wrote:
Dave,
As always, thanks for the wealth of information, explained clearly...
Your comments raise a simple question:
>2. Remove the right to read files from whatever user the CF server is
>running as (typically SYSTEM). All CF needs to be able to do is execute.
I
> Wow, that's ugly. You don't even need to do the refresh,
> just view the source of the page and it is right there. It
> only seems to work if you know the directory where application.cfm
> exists. If you are operating with a single application.cfm
> you can move it up one directory, outside of t
> Try calling the application.cfm template on any CF site with
> +.htr appended
> to the end of the url. You'll first see a blank page. Now hit
> refresh/reload
> and you'll see the full code of said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
And they're definit
: Jonathan Broome; '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution? *FIX*
Dave,
I was only half-right earlier. Loading SP6a on a web server that had this
vulnerability *did not* fix the issue. However, after loading SP6a *and*
the hotfix availab
That fixed it for me
Dan
-> -Original Message-
-> From: Adam Breaux [mailto:[EMAIL PROTECTED]]
-> Sent: Thursday, August 03, 2000 12:31 PM
-> To: [EMAIL PROTECTED]
-> Subject: Re: Allaire security problem - anyone know solution?
->
->
-> Remove .htr mappings from
source code behavior.
Jonathan
-Original Message-
From: Jonathan Broome
Sent: Thursday, August 03, 2000 3:37 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?
On my sites using SP6a, I couldn't get this to work. On other sites, I
> One of my hosting clients has just made me aware of this
> major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF site with
> +.htr appended
> to the end of the url. You'll first see a blank page. Now hit
> refresh/r
http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?
Hi all,
One of my hosting clients
t: Allaire security problem - anyone know solution?
Hi all,
One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?
Try calling the application.cfm template on any CF site with +.htr appended
to the end of the ur
Does it on my NT4/SP5 boxes here. Also on one running Win2k Server. Does not
do it on the sites I manage running NT4/SP6.
Ken
- Original Message -
From: Dave Wilson <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 12:26 PM
Subject: Allaire secu
PROTECTED]
Subject: Allaire security problem - anyone know solution?
Hi all,
One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?
Try calling the application.cfm template on any CF site with +.htr appended
to the
---
> -Original Message-
> From: Dave Wilson [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, August 03, 2000 12:27 PM
> To: [EMAIL PROTECTED]
> Subject: Allaire security problem - anyone know solution?
>
> Hi all,
>
> One of my ho
ROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?
Hi all,
One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?
Try calling the appl
gt; Subject: Allaire security problem - anyone know solution?
>
> Hi all,
>
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF
ursday, August 03, 2000 11:27 AM
-> To: [EMAIL PROTECTED]
-> Subject: Allaire security problem - anyone know solution?
->
->
-> Hi all,
->
-> One of my hosting clients has just made me aware of this major security
-> problem and I'm wondering if anyone knows
Original Message-
-> From: Dave Wilson [mailto:[EMAIL PROTECTED]]
-> Sent: Thursday, August 03, 2000 11:27 AM
-> To: [EMAIL PROTECTED]
-> Subject: Allaire security problem - anyone know solution?
->
->
-> Hi all,
->
-> One of my hosting clients has just made me awar
PROTECTED]
Subject: Allaire security problem - anyone know solution?
Hi all,
One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?
Try calling the application.cfm template on any CF site with +.htr appended
to the e
This is a multi-part message in MIME format.
--=_NextPart_000_03F1_01BFFD76.AD870AE0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Allaire security problem - anyone know solution?The easiest solution is =
to remove the IIS
This is a multi-part message in MIME format.
--=_NextPart_000_03E8_01BFFD75.946E22B0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Allaire security problem - anyone know solution?This is an IIS problem, =
not a CF problem.
[EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?
Hi all,
One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?
Try calling the application.cfm template on any CF site with +.htr appended
Dave, I wasn't able to reproduce this on CF 4.5.1 on Linux+Apache. I
think this might be more of an IIS issue than a CF one. Check out
http://www.securityfocus.com/focus/microsoft/iis/iismain.html for more
info on .htr issues.
.djc.
Dave Wilson wrote:
>
> Hi all,
>
> One of my hosting clients
: Thursday, August 03, 2000 12:27 PM
> To: [EMAIL PROTECTED]
> Subject: Allaire security problem - anyone know solution?
>
>
> Hi all,
>
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it
> One of my hosting clients has just made me aware of this
> major security problem and I'm wondering if anyone knows
> how to eliminate it?
>
> Try calling the application.cfm template on any CF site with
> +.htr appended to the end of the url. You'll first see a blank
> page. Now hit refresh/rel
Remove .htr mappings from your web servers unless you need that
functionality. It's a know IIS hole.
- Original Message -
From: "Dave Wilson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 12:26 PM
Subject: Allaire security pro
-Original Message-
From: Kevin Queen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 1:22 PM
To: Dave Wilson [[EMAIL PROTECTED]]
Subject: RE: Allaire security problem - anyone know solution?
Dave,
I have seen this same error in ASP with ::$DATA, the way to fix that one is
Dave:
Please see:
http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
-Jesse Noller
-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?
Hi all,
One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?
Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
50 matches
Mail list logo