Sure,
it concerned dynamically filling in a cfinclude statement using a variable
i.e.
<cfparam name="includedfile" default="main.cfm">
<cfinclude template="#includedfile#">
The problem with doing it this way was that if someone knew your variable
and knew the structure of the site they could pass it different filenames.
i.e
yoursite.com/include.cfm?includedfile=admin.cfm
or
yoursite.com/include.cfm?includedfile="/cfide/administrator/index.cfm"
etc.
Its old news, lots security buletins around about it.
Fred
----- Original Message -----
From: "Kenneth McNamara" <[EMAIL PROTECTED]>
To: "Fusebox" <[EMAIL PROTECTED]>
Sent: Wednesday, October 25, 2000 2:50 PM
Subject: CFINCLUDEing a variable
> A while ago someone raised the issue of a security problem with using
variables in CFINCLUDES.
>
> Anyone remember that?
>
> Ken McNamara
> CF_Lackey
> --------------------------------------------------------------------------
----
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
>
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
