[thelist] Security Tip
Ryan Finley
RyanF at SonicFoundry.com
Mon Apr 2 11:18:50 CDT 2001
That's why it's so important to subscribe to a good security list.
http://www.microsoft.com/technet/security/notify.asp
With Microsoft products, we really have to stay on top of security patches
and service packs.
Ryan Finley
President - SurveyMonkey.com (http://www.surveymonkey.com)
-----Original Message-----
From: Raymond Camden [mailto:jedimaster at macromedia.com]
Sent: Monday, April 02, 2001 11:13 AM
To: thelist at lists.evolt.org
Subject: [thelist] Security Tip
Someone recently brought this up on the cf-talk listserv, so I thought I'd
bring it up here. I don't think it's been mentioned lately, but if I'm
wrong, please forgive me.
So - whatever your doing right now... stop. If your running IIS and using
ASP or ColdFusion, go to your web server, pick any of the CFM or ASP files,
and add +.htr to the end of the url. So, this:
www.deathclock.com/index.cfm
would be:
www.deathclock.com/index.cfm+.htr
Then view source. You may notice that the entire source code of your ASP/CFM
page is now visible. This can be _extremely_ dangerous. I've seen some site
store global passwords in plain text in files that were vulnerable to this
bug.
Another variation of this is to append ::$DATA. Again, it affects CFM and
ASP files.
To fix it, check out this article:
http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
Note - this is NOT a ColdFusion bug - it's an IIS 'feature.' It (can) affect
both NT and Win2k.
p.s. Running a cluster? Don't forget to check each of the machines in the
cluster.
=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email : jedimaster at macromedia.com
ICQ UIN : 3679482
"My ally is the Force, and a powerful ally it is." - Yoda
---------------------------------------
For unsubscribe and other options, including
the Tip Harvester and archive of TheList go to:
http://lists.evolt.org Workers of the Web, evolt !
More information about the thelist
mailing list