[thelist] Security Tip
Ron Thigpen
rthigpen at nc.rr.com
Tue Apr 3 10:58:56 CDT 2001
Well, except for the names of all of your included .cfm files, which can be invoked
directly by their URL, and which, unless you were careful, probably don't have their
own security/exclusion code included in their headers...
No matter how you look at it, this is a huge, gaping hole. It is also a hole with
well known patches. There is no reason and no justification for anyone leaving it
unpatched once they know about it. And there is very little in the way of excuse
for a reasonably on-the-ball server admin not to be aware of this after all this
time.
--rt
Joshua OIson wrote:
>
> This security hole and Fusebox don't seem to like each other. We use a
> fusebox type methodology for site development and it seems that developing
> sites in this manner circumvents the +.htr problem. I tested it on one of
> my sites, http://www.optijobsearch.com/index.cfm+.htr, and all I get is the
> first level include, which doesn't give a whole lot of information to a
> hacker.
More information about the thelist
mailing list