[thelist] Security Tip
Raymond Camden
jedimaster at macromedia.com
Tue Apr 3 11:18:16 CDT 2001
As a related note, if you ever pass via the query string the name of the
file to include/locate to... don't. I saw a site that did this, and I
changed the URL param to point to the file itself. This created an infinite
loop and almost crashed the server.
=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email : jedimaster at macromedia.com
ICQ UIN : 3679482
"My ally is the Force, and a powerful ally it is." - Yoda
> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org]On Behalf Of Joshua OIson
> Sent: Tuesday, April 03, 2001 3:07 PM
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] Security Tip
>
>
> In one case, we pull the filenames and path for the includes from a
> database. So, you are not able to trace the include files any
> further than
> that. And in the other case, if you try to actually *run* one of
> the files,
> you'd be bumped by the top level application.cfm. That's really what I
> was talking about. You may be able to trace the files and see the source,
> which is a problem for intellectual reasons, but so long as there are no
> passwords and obvious backdoors coded in there, you may be safe.
>
More information about the thelist
mailing list