[thelist] Security Tip

Joshua OIson joshua at alphashop.net
Mon Apr 2 11:34:35 CDT 2001


This security hole and Fusebox don't seem to like each other.  We use a
fusebox type methodology for site development and it seems that developing
sites in this manner circumvents the +.htr problem.  I tested it on one of
my sites, http://www.optijobsearch.com/index.cfm+.htr, and all I get is the
first level include, which doesn't give a whole lot of information to a
hacker.

-joshua

----- Original Message -----
From: "Raymond Camden" <jedimaster at macromedia.com>
Subject: [thelist] Security Tip


> So - whatever your doing right now... stop. If your running IIS and using
> ASP or ColdFusion, go to your web server, pick any of the CFM or ASP
files,
> and add +.htr to the end of the url. So, this:
>
> www.deathclock.com/index.cfm
>
> would be:
>
> www.deathclock.com/index.cfm+.htr
>
> Then view source. You may notice that the entire source code of your
ASP/CFM
> page is now visible. This can be _extremely_ dangerous. I've seen some
site
> store global passwords in plain text in files that were vulnerable to this
> bug.





More information about the thelist mailing list