[thelist] Security Tip

Ryan Finley RyanF at SonicFoundry.com
Mon Apr 2 11:38:20 CDT 2001 

This was discovered more than a year ago.  No system is secure if you don't
keep up to date on the latest patches.

Yes, Windows isn't the most secure operating system.  But 95% of the
security problems in Windows already have patches...if only people would
install them.

In general, Unix admins know what they're doing.  Can't always say the same
thing about those maintaining Windows boxes...

	Ryan Finley
	President - SurveyMonkey.com (http://www.surveymonkey.com)


-----Original Message-----
From: Norman Bunn [mailto:norman.bunn at craftedsolutions.com]
Sent: Monday, April 02, 2001 11:20 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Security Tip


It's not just ASP & CF.  I just ran it on a perl program and all my source
shows up just as pretty as you please!  Sure am glad I run my clients on
Unix!

Norman
www.craftedsolutions.com

----- Original Message -----
From: Raymond Camden <jedimaster at macromedia.com>
To: <thelist at lists.evolt.org>
Sent: Monday, April 02, 2001 12:12 PM
Subject: [thelist] Security Tip


> Someone recently brought this up on the cf-talk listserv, so I thought I'd
> bring it up here. I don't think it's been mentioned lately, but if I'm
> wrong, please forgive me.
>
> So - whatever your doing right now... stop. If your running IIS and using
> ASP or ColdFusion, go to your web server, pick any of the CFM or ASP
files,
> and add +.htr to the end of the url. So, this:
>
> www.deathclock.com/index.cfm
>
> would be:
>
> www.deathclock.com/index.cfm+.htr
>
> Then view source. You may notice that the entire source code of your
ASP/CFM
> page is now visible. This can be _extremely_ dangerous. I've seen some
site
> store global passwords in plain text in files that were vulnerable to this
> bug.
>
> Another variation of this is to append ::$DATA. Again, it affects CFM and
> ASP files.
>
> To fix it, check out this article:
>
> http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
>
> Note - this is NOT a ColdFusion bug - it's an IIS 'feature.' It (can)
affect
> both NT and Win2k.
>
> p.s. Running a cluster? Don't forget to check each of the machines in the
> cluster.
>
> =======================================================================
> Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
>
> Email   : jedimaster at macromedia.com
> ICQ UIN : 3679482
>
> "My ally is the Force, and a powerful ally it is." - Yoda
>
>
>
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt !


---------------------------------------
For unsubscribe and other options, including
the Tip Harvester and archive of TheList go to:
http://lists.evolt.org Workers of the Web, evolt !

More information about the thelist mailing list