[thelist] Security Tip

Raymond Camden jedimaster at macromedia.com
Tue Apr 3 11:18:16 CDT 2001

As a related note, if you ever pass via the query string the name of the
file to include/locate to... don't. I saw a site that did this, and I
changed the URL param to point to the file itself. This created an infinite
loop and almost crashed the server.

Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email   : jedimaster at macromedia.com
ICQ UIN : 3679482

"My ally is the Force, and a powerful ally it is." - Yoda

> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org]On Behalf Of Joshua OIson
> Sent: Tuesday, April 03, 2001 3:07 PM
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] Security Tip
> In one case, we pull the filenames and path for the includes from a
> database.  So, you are not able to trace the include files any
> further than
> that.  And in the other case, if you try to actually *run* one of
> the files,
> you'd be bumped by the top level application.cfm.    That's really what I
> was talking about.  You may be able to trace the files and see the source,
> which is a problem for intellectual reasons, but so long as there are no
> passwords and obvious backdoors coded in there, you may be safe.

More information about the thelist mailing list