[thelist] Security Tip

Joshua OIson joshua at alphashop.net
Mon Apr 2 11:34:35 CDT 2001

This security hole and Fusebox don't seem to like each other.  We use a
fusebox type methodology for site development and it seems that developing
sites in this manner circumvents the +.htr problem.  I tested it on one of
my sites, http://www.optijobsearch.com/index.cfm+.htr, and all I get is the
first level include, which doesn't give a whole lot of information to a


----- Original Message -----
From: "Raymond Camden" <jedimaster at macromedia.com>
Subject: [thelist] Security Tip

> So - whatever your doing right now... stop. If your running IIS and using
> ASP or ColdFusion, go to your web server, pick any of the CFM or ASP
> and add +.htr to the end of the url. So, this:
> www.deathclock.com/index.cfm
> would be:
> www.deathclock.com/index.cfm+.htr
> Then view source. You may notice that the entire source code of your
> page is now visible. This can be _extremely_ dangerous. I've seen some
> store global passwords in plain text in files that were vulnerable to this
> bug.

More information about the thelist mailing list