[thelist] Security Tip

Raymond Camden jedimaster at macromedia.com
Mon Apr 2 11:10:00 CDT 2001


Someone recently brought this up on the cf-talk listserv, so I thought I'd
bring it up here. I don't think it's been mentioned lately, but if I'm
wrong, please forgive me.

So - whatever your doing right now... stop. If your running IIS and using
ASP or ColdFusion, go to your web server, pick any of the CFM or ASP files,
and add +.htr to the end of the url. So, this:

www.deathclock.com/index.cfm

would be:

www.deathclock.com/index.cfm+.htr

Then view source. You may notice that the entire source code of your ASP/CFM
page is now visible. This can be _extremely_ dangerous. I've seen some site
store global passwords in plain text in files that were vulnerable to this
bug.

Another variation of this is to append ::$DATA. Again, it affects CFM and
ASP files.

To fix it, check out this article:

http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full

Note - this is NOT a ColdFusion bug - it's an IIS 'feature.' It (can) affect
both NT and Win2k.

p.s. Running a cluster? Don't forget to check each of the machines in the
cluster.

=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email   : jedimaster at macromedia.com
ICQ UIN : 3679482

"My ally is the Force, and a powerful ally it is." - Yoda






More information about the thelist mailing list