I think the fear would be if an EXE was uploaded as a "CFM" file...
Regards, David @ Oyova - http://www.oyova.com On Tue, Jan 4, 2011 at 5:52 PM, Steve Bryant <st...@bryantwebconsulting.com>wrote: > > Ian, > > I'm not sure that is exactly accurate. A mime-type can certainly be > spoofed, no debate there. A file extension can be *changed*, but (unless I > understand incorrectly), the server is going to decide how to handle a file > based on the extension. > > So, for example, you may save a ColdFusion file as .png. At which point you > can upload as an image in my framework. When it is requested in the URL, > however, it is just an invalid image. CFAS will never process it because > .png isn't on the list of file types for it to process. Even if it was, > Application.cfm would run first and abort the process. > > Even if you did that with a .exe, the client computer wouldn't try to > execute the code. It would just see it as an invalid image. > > If I am wrong on any of this, of course, I would love to know. > > I suppose I should bring up at the point why I have the default location > where it is. It comes down to this: Easy installation and set-up. Neptune > sites should be super-easy to set up and get going and should run in as wide > a variety of platforms as possible (some hosts, for example, don't give you > space outside of your own web root). > > If the security implications of this are truly horrifying, of course, I > could reconsider, but everything about the framework is supposed to be > brain-dead easy to use. Any place where I move away from "blindingly easy to > use" I want to have a really compelling reason to do so. > > Thanks, > > Steve > > >Both mime types and file extensions can be spoofed by a hacker as both > >are just data that hackers can manipulate on their end of the > >client-server relationship. Unless you are running code that actually > >inspects the content of the file to confirm that it matches the file > >type and the mime type reported by the http headers (which are trivial > >to set by users who know how from the client) in the request, you are > >opening a vulnerability here. Even if you do check, the file is > >already uploaded while the checking is occurring, and a hacker can take > >advantage of the delay to execute his code before your validation has a > >chance to reject the file. > > > >And ALL of this is based on what the hackers are doing today with > >today's vulnerabilities. Why leave your framework in a position where > >it would be at risk if hackers figure out tomorrow some other way to > >hide code in innocent looking files and execute it if the file is under > >a web root. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340440 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
