At 10:14 AM 12/19/00 -0600, you wrote:
>Is there any danger to the +.htr beyond being able to view the source code
>of the site?
>
>ie if you want my source code ... 1.) Why? I don't want it, but am forced to
>code it, and 2.) It might be easier to ask me for it, cause I'll zip up all
>the files and email it to you.
Being able to view the source code on the site can be very dangerous,
especially if it includes any usernames and passwords. Even if it doesn't
contain usernames and passwords, it can betray other vulnerabilities in the
site, but if it does have usernames and passwords to the database, all the
data is compromised. Or in other words, I hope you aren't storing credit
card numbers. Even encrypted credit card numbers can be vulnerable if your
source is vulnerable-- cause that's where the encryption scheme is.
If *we* want to see your source, we'll ask, but more malicious types will
look for common problems like the +.htr bug.
I actually had a nightmare about a similar hack last night.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
