I am not the one seeing the error. I was just commenting that you Could find out the IP address of the server using the domain name And the ping command.
I know you would see the CGI.REMOTE_ADDR. That is part of the cgi variables. Wally was the one looking for the resolution -----Original Message----- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 9:17 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices Randy, Hmmmm.... actually, the error in question doesn't expose the IP address of the server (internal or external). Instead it exposes the cgi.remote_addr address - the address of the client making the request. Is this the error you are seeing? ------------------------------------------------------------------------ ---- --------------- The filename, directory name, or volume label syntax is incorrect Please try the following: Check the ColdFusion documentation to verify that you are using the correct syntax. Search the Knowledge Base to find a solution to your problem. Browser Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215) Remote Address 10.0.0.11 Referrer ------------------------------------------------------------------------ ---- ---------------- The address info listed there is that of my laptop - not my server. -Mark -----Original Message----- From: Adkins, Randy [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:09 AM To: CF-Talk Subject: RE: ColdFusion Security Holes - Best Practices Anyone can get the IP Address of the server, simply ping the domain name. Now, depending on the security patches of the server and how it is configured will determine if you can do anything else. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 8:54 AM To: CF-Talk Subject: ColdFusion Security Holes - Best Practices I heard a challenge from a security consultant that "if you are using ColdFusion you do not have a secure server." He maintains that CF is full of things a hacker can access. For example he gave the following example. If you attempt to open a CF website with the following command it will generate an error message that gives you the IP address of the CF server: sitename.org/*.cfm I tried this on a wide variety of sites and found that most CF sites return the error with the IP address. Some, however appear to trap this error somehow. What should be done on a CF server to prevent that type of error exposing the IP address of a CF server? This error is occuring prior to the execution of an application.cfm file in the host root directory so you cannot programatically trap it. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220318 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
