[thelist] Security Tip
Joshua OIson
joshua at alphashop.net
Tue Apr 3 11:05:56 CDT 2001
In one case, we pull the filenames and path for the includes from a
database. So, you are not able to trace the include files any further than
that. And in the other case, if you try to actually *run* one of the files,
you'd be bumped by the top level application.cfm. That's really what I
was talking about. You may be able to trace the files and see the source,
which is a problem for intellectual reasons, but so long as there are no
passwords and obvious backdoors coded in there, you may be safe.
There are the times when helper applications, such as database servers,
inherently have holes, and the code may indicate that you use those
applications. In that instance you have a risk of someone exploiting those
applications.
BTW, it's now patched.
-joshua
----- Original Message -----
From: "Ron Thigpen" <rthigpen at nc.rr.com>
Subject: Re: [thelist] Security Tip
> Well, except for the names of all of your included .cfm files, which can
be invoked
> directly by their URL, and which, unless you were careful, probably don't
have their
> own security/exclusion code included in their headers...
>
> No matter how you look at it, this is a huge, gaping hole. It is also a
hole with
> well known patches. There is no reason and no justification for anyone
leaving it
> unpatched once they know about it. And there is very little in the way of
excuse
> for a reasonably on-the-ball server admin not to be aware of this after
all this
> time.
>
> --rt
More information about the thelist
mailing list