Alan,
The only thing you need to worry about regarding source code "leakage" is
that the server somehow be fooled into handing it out without passing it
first to Cold Fusion:
1.With IIS 4 - using the :$$DATA (see Allaire security bulletins)
2.With sp 6 adding on a .htm on the end of the URL might confuse things
(not sure about this...)
3. By any other of the many undocumented features (i.e. bugs ;-)
So do what you can, and don't worry about what you can't...
HTH,
Noam
----------
From: McCollough, Alan [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, 20 July 2000 17:43
To: '[EMAIL PROTECTED]'
Subject: Security considerations with index.cfm
I was pondering the following thought this morning...
Thinking about security and Fusebox.
Thinking that if somebody wanted to discern all of your CFINCLUDEd
templates, all they need is a source view of index.cfm, which they
could get
easily by constructing their own page and (for Windows folks)
right-clicking
on the hyperlink to save the code locally, as in:
<a href="www.foo.com/index.cfm">I'm gonna steal your code</a>
Then they could read the code, and by using the same technique as
above,
ultimately get all of your source code.
Having never used CFCRYPT before, would it be an
acceptible/worthwile
measure to CFCRYPT index.cfm, thus preventing exposure of underlying
CF
templates?
Alan McCollough
Web Programmer
Alaska Native Medical Center
----------------------------------------------------------------------------
--
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
