Thats the trouble with bundling things. I used to think it was nice but really it creates these types of things.
Have you seen the video of the guy hacking sites with this? > It's not a CF-only issue. However, CF comes bundled with FCKEditor and > other scripting languages don't. > > If you don't allow uploads to web accessible directories, you don't > have anything to worry about. However, the default install of CF 8.0.1 > on Windows does allow uploads to web accessible directories. > > Dave Watts, CTO, Fig Leaf Software > > -----Original Message----- > From: Dave l <cfl...@jamwerx.com> > Sent: Sunday, 05 July, 2009 13:37 > To: cf-talk <cf-talk@houseoffusion.com> > Subject: Re: New CF8 vulnerability > > > "If there's a default web accessible URL path for uploaded files" > Well that's why you don't do it. I have done it but I don't anymore. > > That's true with any server, any platform, any scripting language, I > don't know why they are making this out to be a cf only issue. > > I have 3 hd's, > #1 is the os and apps, > #2 is partitioned with 99.9% of it beingbu stuff and the rest is just > few folders that the uploads go into and run thru doing what needs to > be done with them. > #3 is web server. > > So cfm files an only be run out of the #3 hd. So if I upload the files > to an isolated partition with min permissions how who they run that cf > file? That drive isn't accessible from the web & I have no ftps or any > incoming connections to that drive. They could of course hack into the > server itself and then move the file manually to the web server drive > then go get it ;) > > > If there's a default web accessible URL path for uploaded files, , > and > > that directory is configured to execute CF files, an attacker can > > simply upload a .cfm file, and run it to do anything CF can do: > > CFEXECUTE, access databases, connect to outbound FTP servers, etc. > You > > may not allow the first of those, but it's far less likely you're > > blocking the others. > > > > Dave Watts, CTO, Fig Leaf Software > > > > -----Original Message----- > > From: Dave l <cfl...@jamwerx.com> > > Sent: Sunday, 05 July, 2009 09:46 > > To: cf-talk <cf-talk@houseoffusion.com> > > Subject: Re: New CF8 vulnerability > > > > > > "There's nothing OS-specific about the vulnerability, as far as I > can > > see. " > > I'm sure it more about a "location" that is easy to guess.. maybe > the > > default fk one. > > Although them exe's are gunna have a bitch of a time running on a lt > > > 1gb sectioned partition with no rights on my xserver. > > > > To many people probably upload to /uploads (i'm guilty) so it > > shouldn't be to difficult. > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324234 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
