Andrew, Correct me if I am mistaken, but I thought that was if the system was checking *only* mime-type. The framework checks both mime-type AND file extension. I did check on that at the time of that exploit and ensured that our framework was protected from that exploit. If I have missed something on that, do let me know.
The folder is set to allow reading and writing, but not execution. It has Application.cfm protection. I can ensure that the uploads are protected from unwanted files by BOTH mime-type and extension. The location can be configured to a location outside of the web root. I think, however, that it can be made safe enough to obviate the need for a severe warning on that front. If there is a specific threat that I have not addressed, however, I would certainly like to know. I have Googled this topic in the past, so a specific unaddressed vulnerability would be helpful if there is something that I have missed. Thanks, Steve >Yes but if you understand the problems with that then you would know that a >file can be uploaded that is pretending to be a png or whatever it wants to >be, and actually be a cfml or any other executable file. > >There has been enough discussion on this matter to adhere to the fact that >the uploads directory should never, ever be in the webroot or even >accessible from the URL. Google it, and you will see what I mean and refer >too. > >fckEditor was a victim of this and as was Adobe and anyone one else who used >this exploitation. > > >Regards, >Andrew Scott >http://www.andyscott.id.au/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340425 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
