> One of my hosting clients has just made me aware of this
> major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF site with
> +.htr appended
> to the end of the url. You'll first see a blank page. Now hit
> refresh/reload
> and you'll see the full code of said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
>
> Can someone please tell me there is a patch for this. It
> seems to happen on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
Dave,
In IIS, on the website in question, go to Properties | Home Directory |
Configuration | App Mappings, and remove the .htr extension from the
list. While you're there, add the mappings ".cfm::$DATA" and
".asp::$DATA" to be processed just like .cfm and .asp files, to
eliminate that other *very* common security hole.
Ron Allen Hornbaker
President/CTO
Humankind Systems, Inc.
http://humankindsystems.com
mailto:[EMAIL PROTECTED]
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
