[thelist] Security Tip

[Kevin Greene (LMI)]

The +.htr bug has nothing to do with fusebox/.cfm/.asp etc.  It is a problem with index server which is installed by default with NT Server 4.  This is only one of many problems with Index Server.  If you're not using Index server don't have it running on your box. And always keep up to date on the latest patchs

Kevin


-----Original Message-----
From: Joshua OIson [mailto:joshua at alphashop.net]
Sent: Monday, April 02, 2001 8:36 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Security Tip


This security hole and Fusebox don't seem to like each other.  We use a
fusebox type methodology for site development and it seems that developing
sites in this manner circumvents the +.htr problem.  I tested it on one of
my sites, http://www.optijobsearch.com/index.cfm+.htr, and all I get is the
first level include, which doesn't give a whole lot of information to a
hacker.

-joshua

----- Original Message -----
From: "Raymond Camden" <jedimaster at macromedia.com>
Subject: [thelist] Security Tip


> So - whatever your doing right now... stop. If your running IIS and using
> ASP or ColdFusion, go to your web server, pick any of the CFM or ASP
files,
> and add +.htr to the end of the url. So, this:
>
> www.deathclock.com/index.cfm
>
> would be:
>
> www.deathclock.com/index.cfm+.htr
>
> Then view source. You may notice that the entire source code of your
ASP/CFM
> page is now visible. This can be _extremely_ dangerous. I've seen some
site
> store global passwords in plain text in files that were vulnerable to this
> bug.


---------------------------------------
For unsubscribe and other options, including
the Tip Harvester and archive of TheList go to:
http://lists.evolt.org Workers of the Web, evolt !