[thelist] Security Tip

Mon Apr 2 11:30:00 CDT 2001

It's not just ASP & CF.  I just ran it on a perl program and all my source
shows up just as pretty as you please!  Sure am glad I run my clients on
Unix!

Norman
www.craftedsolutions.com

----- Original Message -----
From: Raymond Camden <jedimaster at macromedia.com>
To: <thelist at lists.evolt.org>
Sent: Monday, April 02, 2001 12:12 PM
Subject: [thelist] Security Tip

> Someone recently brought this up on the cf-talk listserv, so I thought I'd
> bring it up here. I don't think it's been mentioned lately, but if I'm
> wrong, please forgive me.
>
> So - whatever your doing right now... stop. If your running IIS and using
> ASP or ColdFusion, go to your web server, pick any of the CFM or ASP
files,
> and add +.htr to the end of the url. So, this:
>
> www.deathclock.com/index.cfm
>
> would be:
>
> www.deathclock.com/index.cfm+.htr
>
> Then view source. You may notice that the entire source code of your
ASP/CFM
> page is now visible. This can be _extremely_ dangerous. I've seen some
site
> store global passwords in plain text in files that were vulnerable to this
> bug.
>
> Another variation of this is to append ::$DATA. Again, it affects CFM and
> ASP files.
>
> To fix it, check out this article:
>
> http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
>
> Note - this is NOT a ColdFusion bug - it's an IIS 'feature.' It (can)
affect
> both NT and Win2k.
>
> p.s. Running a cluster? Don't forget to check each of the machines in the
> cluster.
>
> =======================================================================
> Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
>
> Email   : jedimaster at macromedia.com
> ICQ UIN : 3679482
>
> "My ally is the Force, and a powerful ally it is." - Yoda
>
>
>
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt !