> Err.... I don't get that "vulnerability" at all. > > I'm running CF5 on IIS5 on Win2k and I get plain boring > "HTTP/1.0 404 Object Not Found". > > If you leave the debugging on, then maybe you would. actually > no that's a lie, because I just tested on a box where I have every > single bit of debugging turned on for my IP address. > > Now - if you access a page where there is a missing cfinclude > file and you have the debug option "Display the Template Path > in Error Messages" switched on, then you will display the full > file path. However, that particular debug option has this text > next to it: "The template's file name is useful for debugging, > but may be a security hazard because it displays information > about a server's file structure."
I just tested this on my machine (Win2K, IIS 5, CF 5, all relevant OS and CF hotfixes) and was able to replicate the results of the SecurityFocus report, with all debugging options off. The specific error I got indicated that there was a file, but that CF couldn't open the file. I don't like MM's solution either, since it does impose a bit of overhead. Here are some other possible workarounds, until MM gets their act together - not likely, since this has been around since November: 1. Input filtering at the web server level. 2. Creating files with the appropriate names in each directory (yecch). Anyone have a definitive list of DOS device names? I think I'll try (1), myself. Sheesh. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
