> I asked:
> > What workarounds, if any, can be used instead of applying
> > the patch?
>
> Adam Berry said:
>
> "There is not a work around other than the patch, which is
> why we released it. "
>
>
> This kind of blanket statement is hard to accept. What if
> IIS security has been used to only allow connections from
> certain IPs, or IIS requires authentication? Would that take
> care of it (assuming the people I'm trusting by these means
> are actually trustworthy)?
The patch itself, on Windows, simply replaces the various API and CGI stubs
that the web server uses to communicate with CF. So, if you don't allow
non-trustworthy people to connect to your web server, you shouldn't really
need the patch. Based on my understanding of ISAPI and other web server
APIs, all of the filtering and authentication stuff happens before the API
extension is invoked on behalf of the request.
I'd guess, though, that you'll have a hard time being sure that only
trustworthy people are in fact trusted - that problem hasn't ever been
solved in human history!
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
