> The only security gained by placing the includes and so forth in an > inaccessible directory, really, is protection against source > code browsing exploits - and a simple application of permissions > can be used to prevent this anyway.
Well, I don't agree totally.... I include all of my fuses from a directory that is not accessible to the web server. For example, if my web root is c:\inetpub\wwwroot, I'll keep my fuses in c:\inetpub\fuses. Then my c:\inetpub\wwwroot only has the index.cfm, an empty application.cfm and an empty onrequestend.cfm. This forces all access to the fuses to go through the index.cfm fusebox. I separate the fuses mainly to prevent users from guessing fuse locations and invoking them directly, which I think provides a measure of added security. In a non-Fusebox app, users can attempt to execute arbitrary templates by just calling them directly. Using my fusebox method, I can at least force them to go through the index.cfm where I have a single location to enforce restrictions and perform validation. This is minor, I guess, but modularity and ease of coding should also decrease the likelihood that you will miss a security flaw in your code... For what it's worth, Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists