& in the url is fine, otherwise url parameters would never work, but & in the filename is not fine. e.g. fish&chips.cfm is not going to work. this can be a problem where you're letting users upload files that might have invalid characters, but otherwise works pretty well.
it's fully customisable though as to what you want to allow and deny, but the default settings seem pretty good. it also logs everything that gets rejected, so you can see any attempted hacks, or things that have ben rejected that should have been ok. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp Duncan Cumming IT Manager http://www.alienationdesign.co.uk mailto:[EMAIL PROTECTED] Tel: 0141 575 9700 Fax: 0141 575 9600 Creative solutions in a technical world ---------------------------------------------------------------------- Get your domain names online from: http://www.alienationdomains.co.uk Reseller options available! ---------------------------------------------------------------------- ---------------------------------------------------------------------- "Kola Oyedeji" <[EMAIL PROTECTED] To: <[EMAIL PROTECTED]> yalty.com> cc: Subject: RE: [ cf-dev ] Kinda Hacking but ... 03/04/2003 11:03 Please respond to dev I'm assuming that you can tell it what to filter out. Isn't ";" used as part of a J2EE session identifier on the url? And surely it doesn't reject ampersands in the url? Kola >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] >> Sent: 03 April 2003 10:09 >> To: [EMAIL PROTECTED] >> Subject: RE: [ cf-dev ] Kinda Hacking but ... >> >> >> works with IIS as part of the IISLockDown tool, although I think it can >> also be installed on it's own. checks no invalid stuff is going into the >> url, e.g. >> >> ; drop table admin >> >> would get rejected. can't remember it all, but it's things like ;.&* >> etc. >> It keeps logfiles, you'd be surprised the amount of attempted url hacks >> for >> C:\cmd.exe etc. >> >> should be installed as a basic security measure on any NT/2000 server >> imho. >> >> >> Duncan Cumming >> IT Manager >> >> http://www.alienationdesign.co.uk >> mailto:[EMAIL PROTECTED] >> Tel: 0141 575 9700 >> Fax: 0141 575 9600 >> >> Creative solutions in a technical world >> >> ---------------------------------------------------------------------- >> Get your domain names online from: >> http://www.alienationdomains.co.uk >> Reseller options available! >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> >> >> >> "Kola Oyedeji" >> <[EMAIL PROTECTED] To: >> <[EMAIL PROTECTED]> >> yalty.com> cc: >> Subject: RE: [ cf-dev >> ] Kinda Hacking but ... >> 03/04/2003 10:05 >> Please respond to >> dev >> >> >> >> >> >> While we're on the subject, what exactly does urlscan do? We don't use >> it here, we generally rely on using cfqueryparam and restricting DSNs >> I'm wondering if we should be using it. >> >> >> Thanks >> >> Kola >> >> >> -----Original Message----- >> >> From: Snake.Lists [mailto:[EMAIL PROTECTED] >> >> Sent: 02 April 2003 18:24 >> >> To: [EMAIL PROTECTED] >> >> Subject: RE: [ cf-dev ] Kinda Hacking but ... >> >> >> >> I put a stop to things like a while ago. It did used to be possible >> tho. >> >> >> >> Russ >> >> >> >> -----Original Message----- >> >> From: [EMAIL PROTECTED] >> >> [mailto:[EMAIL PROTECTED] >> >> Sent: 02 April 2003 17:16 >> >> To: [EMAIL PROTECTED] >> >> Subject: RE: [ cf-dev ] Kinda Hacking but ... >> >> >> >> >> >> >> >> or how about updating some details, maybe insert a nice new LEA, >> delete >> >> those we don't like. >> >> >> >> >> >> Duncan Cumming >> >> IT Manager >> >> >> >> http://www.alienationdesign.co.uk >> >> mailto:[EMAIL PROTECTED] >> >> Tel: 0141 575 9700 >> >> Fax: 0141 575 9600 >> >> >> >> Creative solutions in a technical world >> >> >> >> >> ---------------------------------------------------------------------- >> >> Get your domain names online from: >> >> http://www.alienationdomains.co.uk >> >> Reseller options available! >> >> >> ---------------------------------------------------------------------- >> >> >> ---------------------------------------------------------------------- >> >> >> >> >> >> >> >> Adrian Lynch >> >> <[EMAIL PROTECTED] To: >> >> "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> >> >> ubble.net> cc: >> >> Subject: RE: [ >> cf-dev ] >> >> Kinda Hacking but ... >> >> 02/04/2003 17:16 >> >> Please respond to >> >> dev >> >> >> >> >> >> >> >> >> >> >> >> Here's hoping it only has SELECT permissions! >> >> >> >> -----Original Message----- >> >> From: [EMAIL PROTECTED] >> >> [mailto:[EMAIL PROTECTED] >> >> Sent: 02 April 2003 17:12 >> >> To: [EMAIL PROTECTED] >> >> Subject: Re: [ cf-dev ] Kinda Hacking but ... >> >> >> >> >> >> >> >> well, next step is for some bright spark to stick a "; drop table >> >> ContentLEAdetails" on there. >> >> >> >> >> >> Duncan Cumming >> >> IT Manager >> >> >> >> http://www.alienationdesign.co.uk >> >> mailto:[EMAIL PROTECTED] >> >> Tel: 0141 575 9700 >> >> Fax: 0141 575 9600 >> >> >> >> Creative solutions in a technical world >> >> >> >> >> ---------------------------------------------------------------------- >> >> Get your domain names online from: >> >> http://www.alienationdomains.co.uk >> >> Reseller options available! >> >> >> ---------------------------------------------------------------------- >> >> >> ---------------------------------------------------------------------- >> >> >> >> >> >> >> >> >> >> Dave Phipps >> >> >> >> <[EMAIL PROTECTED] To: >> >> <[EMAIL PROTECTED]> >> >> cf.co.uk> cc: >> >> >> >> Subject: Re: [ cf-dev ] >> >> Kinda >> >> Hacking but ... >> >> 02/04/2003 >> >> >> >> 16:51 >> >> >> >> Please >> >> >> >> respond to >> >> >> >> dev >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> I managed to get this to produce more than one record: >> >> >> >> >> http://www.dfes.gov.uk/leagateway/index.cfm?action=address.list&name=15% >> 2 >> >> 0OR >> >> >> >> %20id=2 >> >> >> >> >> >> HTH >> >> >> >> Dave >> >> >> >> At 11:36 4/2/2003 +0100, you wrote: >> >> >You obviously don't work in Education .... :) >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> >"Stephen Moretti" <[EMAIL PROTECTED]> on 02/04/2003 11:32:58 >> >> > >> >> >Please respond to [EMAIL PROTECTED] >> >> > >> >> >To: [EMAIL PROTECTED] >> >> >cc: (bcc: Paul Swingewood/Education/BCC) >> >> >Subject: Re: [ cf-dev ] Kinda Hacking but ... >> >> > >> >> > >> >> > >> >> > >> >> >Paul, >> >> > >> >> > >> >> > > This maybe kinda hacking but I wonder if anyone can help me out >> on >> >> this >> >> >one >> >> > > .... >> >> > > >> >> > > I need a list of all the DfES LEA's in the country. (Local >> Education >> >> > > Authority) >> >> > > >> >> > > The DFES website allows you to show them all in a-z format and >> then >> >> click >> >> > > on each to get the details. Is there a fast way that I can send a >> >> query >> >> >or >> >> > > force their code to show them all in one go (Select * from) . >> >> > > >> >> > >> >> >How about asking the DfES?? >> >> > >> >> >Stephen >> >> > >> >> > >> >> > >> >> >-- >> >> >** Archive: >> http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ >> >> > >> >> >To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >For additional commands, e-mail: [EMAIL PROTECTED] >> >> >For human help, e-mail: [EMAIL PROTECTED] >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> >************************************************************* >> >> >This email and any files transmitted with it are confidential >> >> >and intended solely for the use of the individual or entity >> >> >to whom they are addressed. If you have received this email >> >> >in error please notify [EMAIL PROTECTED] >> >> > >> >> >The views expressed within this email are those of the >> >> >individual, and not necessarily those of the organisation >> >> >************************************************************* >> >> > >> >> > >> >> >-- >> >> >** Archive: >> http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ >> >> > >> >> >To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >For additional commands, e-mail: [EMAIL PROTECTED] >> >> >For human help, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> -- >> >> ** Archive: >> http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ >> >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> For human help, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> ** Archive: >> http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ >> >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> For human help, e-mail: [EMAIL PROTECTED] >> >> >> >> -- >> >> ** Archive: >> http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ >> >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> For human help, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> ** Archive: >> http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ >> >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> For human help, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> -- >> >> ** Archive: >> http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ >> >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> For human help, e-mail: [EMAIL PROTECTED] >> >> >> -- >> ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> For human help, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> >> -- >> ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> For human help, e-mail: [EMAIL PROTECTED] -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED] -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
