[thelist] Security Tip

Norman Bunn norman.bunn at craftedsolutions.com
Mon Apr 2 11:30:00 CDT 2001

It's not just ASP & CF.  I just ran it on a perl program and all my source
shows up just as pretty as you please!  Sure am glad I run my clients on


----- Original Message -----
From: Raymond Camden <jedimaster at macromedia.com>
To: <thelist at lists.evolt.org>
Sent: Monday, April 02, 2001 12:12 PM
Subject: [thelist] Security Tip

> Someone recently brought this up on the cf-talk listserv, so I thought I'd
> bring it up here. I don't think it's been mentioned lately, but if I'm
> wrong, please forgive me.
> So - whatever your doing right now... stop. If your running IIS and using
> ASP or ColdFusion, go to your web server, pick any of the CFM or ASP
> and add +.htr to the end of the url. So, this:
> www.deathclock.com/index.cfm
> would be:
> www.deathclock.com/index.cfm+.htr
> Then view source. You may notice that the entire source code of your
> page is now visible. This can be _extremely_ dangerous. I've seen some
> store global passwords in plain text in files that were vulnerable to this
> bug.
> Another variation of this is to append ::$DATA. Again, it affects CFM and
> ASP files.
> To fix it, check out this article:
> http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
> Note - this is NOT a ColdFusion bug - it's an IIS 'feature.' It (can)
> both NT and Win2k.
> p.s. Running a cluster? Don't forget to check each of the machines in the
> cluster.
> =======================================================================
> Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
> Email   : jedimaster at macromedia.com
> ICQ UIN : 3679482
> "My ally is the Force, and a powerful ally it is." - Yoda
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt !

More information about the thelist mailing list