How do I remove execute permissions from a directory in IIS?
I'm allowing people to FTP-upload into one of my web server directories, but I don't want them to be able to upload and run cfm (or asp, etc) scripts. I right-clicked on the directory in IIS and changed execute permissions to none, but it seems the cfm files in that directory are still running. Here's an example: http://hitmelater.com/affiliate/index.cfm Any ideas? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325567 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: How do I remove execute permissions from a directory in IIS?
You can add application.cfm or Application.cfc to the folder and cfabort any request. that will ensure that no cfm file is executed On Thu, Aug 20, 2009 at 11:21 AM, Philip Kaplan pkap...@gmail.com wrote: I'm allowing people to FTP-upload into one of my web server directories, but I don't want them to be able to upload and run cfm (or asp, etc) scripts. I right-clicked on the directory in IIS and changed execute permissions to none, but it seems the cfm files in that directory are still running. Here's an example: http://hitmelater.com/affiliate/index.cfm Any ideas? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325569 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: How do I remove execute permissions from a directory in IIS?
That's a clever idea but I would preferably like to give users delete permission on that directory, in which case someone could just delete the application.cfm file. On Thu, Aug 20, 2009 at 11:40 AM, Agha Mehdi aghaime...@gmail.com wrote: You can add application.cfm or Application.cfc to the folder and cfabort any request. that will ensure that no cfm file is executed On Thu, Aug 20, 2009 at 11:21 AM, Philip Kaplan pkap...@gmail.com wrote: I'm allowing people to FTP-upload into one of my web server directories, but I don't want them to be able to upload and run cfm (or asp, etc) scripts. I right-clicked on the directory in IIS and changed execute permissions to none, but it seems the cfm files in that directory are still running. Here's an example: http://hitmelater.com/affiliate/index.cfm Any ideas? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325571 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: How do I remove execute permissions from a directory in IIS?
Phil- Your FTP folder should be below your web root - I believe anything in the web path will be served via the browser. I don't think you can turn off processing for a directory in the web path. If you are using the content of the FTP as web content, you can use an upload function through ColdFusion instead and allow only certain file types and extensions. /S On Thu, 20 Aug 2009 11:21:53 -0700, Philip Kaplan pkap...@gmail.com wrote: I'm allowing people to FTP-upload into one of my web server directories, but I don't want them to be able to upload and run cfm (or asp, etc) scripts. I right-clicked on the directory in IIS and changed execute permissions to none, but it seems the cfm files in that directory are still running. Here's an example: http://hitmelater.com/affiliate/index.cfm Any ideas? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325572 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: How do I remove execute permissions from a directory in IIS?
ssl...@rubbergumball.net wrote: Phil- Your FTP folder should be below your web root - I beleive that quote should be above or outside or possible not be below. I.E. Yes, your FTP folder should have NO relation to your web root folder. Only after you have scrutinized ANYTHING uploaded would you then move it to such a vulnerable location. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325573 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: How do I remove execute permissions from a directory in IIS?
There are multiple ways you can do it depending on your setup. 1. Have your ftp folder below the web root 2. Add cfabort to a directory above the ftp folder in the web root so that it stops any processing on any sub folders. 3. uncheck all options (Read, Write etc) under Directory for that folder and set the execute permission to None On Thu, Aug 20, 2009 at 11:47 AM, Philip Kaplan pkap...@gmail.com wrote: That's a clever idea but I would preferably like to give users delete permission on that directory, in which case someone could just delete the application.cfm file. On Thu, Aug 20, 2009 at 11:40 AM, Agha Mehdi aghaime...@gmail.com wrote: You can add application.cfm or Application.cfc to the folder and cfabort any request. that will ensure that no cfm file is executed On Thu, Aug 20, 2009 at 11:21 AM, Philip Kaplan pkap...@gmail.com wrote: I'm allowing people to FTP-upload into one of my web server directories, but I don't want them to be able to upload and run cfm (or asp, etc) scripts. I right-clicked on the directory in IIS and changed execute permissions to none, but it seems the cfm files in that directory are still running. Here's an example: http://hitmelater.com/affiliate/index.cfm Any ideas? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325574 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: How do I remove execute permissions from a directory in IIS?
I'm allowing people to FTP-upload into one of my web server directories, but I don't want them to be able to upload and run cfm (or asp, etc) scripts. I right-clicked on the directory in IIS and changed execute permissions to none, but it seems the cfm files in that directory are still running. You would have to set read but not execute in Windows Explorer or CACLS/XCACLS/whatever the new version of CACLS is. But the real answer is, as Ian indicated, don't let people upload files into a web directory. Even if you could disable them from running through CF, a user could upload a plain old HTML file with malicious JavaScript in it, and another user could conceivably run that. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325579 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
