CFDIRECTORY filesystem interaction
I have an administrative interface that uses CFDIRECTORY to rename and delete directories. It seems that NT won't allow those operations if a web-user has caused the application to read any of the templates in the directory in question within the past (apprx) 60 seconds, and CF throws an error. Is there a work-around for this? -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: How do you end a Session????
At 01:19 PM 00/04/13 -0400, you wrote: I'm trying to use session variables for unique users in my CF program, but when i change users the session doesnt end. 1) What is the code to end a session? I generally use StructClear(session). Session variables are stored in a structure. That destroys that structure, and all session variables with it. 2) Then, how would i incorporate the code to end the session by pressing a "log off" button? Have the link go to a page with something like: cfset temp = StructClear(session) cflocation url="homepage.html" thanks, Brian --- FREE! The World's Best Email Address @email.com Reserve your name now at http://www.email.com --- --- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: Show Of Hande
I agree, it wouldn't be very hard for allaire to include a special, reserved, application-scope variable which would point to a custom-tags folder for that application. I'd like to see that very much in a future release. At 01:29 PM 00/04/06 -0500, you wrote: OK - (seriously) can I get a show of hands (via email) of those developers who think the ability to specify the path to a custom tag would be a good feature - specifically NOT using cf module...and here's why. I like the ability to call a custom tag inside a site, while having that sites/apps structure NOT rely on any specific hosting provider. So if I create and or use custom tags and keep them in a central place for use througout the site I need to use cfmodule and provide attributes. My problem with this solution comes in the form of writing VTML dialog boxes for easy implementation. The minute you call the tag in cfmodule and then you want to go back and edit it (using the VTML dialog box, or tag insight you wrote) you can't because the tag now is a cfmodule tag and thus uses the cfmodule VTML file.. Does anyone else see this as a problem??? Thanks James Thanks for your response Dan.. (I'm trying to get a quorum of developers - so I can pass this along to Allaire and hopefully have it implemented on the next release - the majority rules here folks, sqeeky wheel and all that...) --- --- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. Tim Lieberman Take a break and have a listen, Electric Mind Control Do It NOW: Workshop Funk Bakery http://www.mp3.com/emcw -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited -- reward offered
It's only extortion if there's a threat implied. Think of it this way: 1) If there is an exploitable hole, your box is insecure. 2) Assuming I don't cause any damage[*], all I'm doing is alerting you to a security problem. It's not really ethical to do this, but it's not extortion either. It's more like a locksmith walking into your locked office at night, and leaving a note that says: "Your locks suck - I was able to pick them in under 30 seconds. Call me at number and we'll talk about getting you some real security". Yes he was trespassing, but it's not extortion. Some might call it "breaking and entering", but assuming the lock still functions (in what is now recognized as a limited capacity), I wouldn't agree with the "breaking" part. Extortion would be, for example, if I hacked your box, deleted some unimportant data, and said that if I didn't get paid, I'd come back and delete some important stuff. [*] Some companies try to claim that someone breaking their security causes damage in the form of losses to upgrade/update/fix their security. This is a fallacy, the hole was there before the 'hacker' exploited/called attention to it. At 06:15 PM 00/04/05 -0400, you wrote: Gee sounds like a classic mafia protection racket. Pay us or your business will suddenly have some broken windows. Most places call this extortion. - Steve -Original Message- From: Jennifer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 12:57 PM To: [EMAIL PROTECTED] Subject: Re: Security holes revisited -- reward offered At 08:29 AM 4/5/00 -0500, you wrote: So what do you guys think about part time hackers that attempt a breakin, post general results on a website, and then ask for payment to fix your problems? --- --- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. Tim Lieberman Take a break and have a listen, Electric Mind Control Do It NOW: Workshop Funk Bakery http://www.mp3.com/emcw -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited
At 07:32 PM 00/04/05 -0400, you wrote: Not to mention the fact that you don't actually have to utilize a vulnerability to know that it is there. Vulnerabilities all have signatures or characteristics that make them visible without doing anything illegal at all, unless you want to argue that having your router route traffic to the machine in question constitutes improper use of your private property. Anyway, there are numerous tools out there that will not only scan a machine for vulnerabilities and report back what they are, but also how they work, and how they can be fixed. In my opinion, this is like driving by a house with all the doors wide open and then leaving a note saying, "Hey, silly person! You left your doors wide open." As long as they don't take your TV or tell their friend to do so nothing has changed. I feel that a lot of the anger and rant following this sort of thing stems from pure embarrassment. Get over it and learn to tighten up the ship. If it's that critical it shouldn't be scannable to begin with. This is one of the rare times I have to disagree with you. Not all vulnerabilities are simply a matter of scanning, and scanning itself, carried to its extreme, is an intrusion. Following your analogy, a complete system scan (say all ports from 1-65k, attempts to communicate with IPC listeners, OS/service identification, etc) wouldn't be like someone driving by my house, but more like someone walking through my house and looking in the clothes hamper! Even if they didn't touch anything, they've gone where they shouldn't. I'm not the only one who feels this way: do some complete, non-subtle port scans on federal or state government networks, and see how long it takes for the hostmaster for your IP address range to get an email (The answer: less than 10 minutes). I disagree. Your open ports are your "interface" to the world. Is it wrong for me to test one port? That's essentially what I'd do if I tried typing http://yoursite.com/ in by browser. Two, what if I fingered your box when I found we were[n't] running a webserver. If one or two ports are legit, why not three, four, ... or 65k? Slippery slope, yes. But you could make the argument that it's unethical to try to connect to a machine on port 80 if it hasn't been "advertized" as a web server. I guess the best real-world analogy is walking through an office and turning door knobs to see which are or aren't locked. Of course, real-world analogies are pretty flawed, but this one isn't too bad. To qualify for "looking in the clothes hamper" status, I think you'd have to actually comprimise the system to some degree. You can't look in a hamper just by trying the doorknob, and seeing what happens. Oh, and about the locksmith scenerio, let's rephrase it so he doesn't enter and leave a note. He picks the lock, opens the door (maybe not even), closes it, locks it, leaves, and calls later to leave voicemail. One more thing, that probably should be it's own message, but seeing as this has gone pretty far OT In my original post, I neglected the "post publicly" clause. I agree that it's wrong to do that. Locksmith putting up a sign in the yard is a good analogy. The proper thing to do (regarless of whether the initial survey is proper or not) would be to contact a sysadmin discreetly. I once discovered a CF site (see, on topic! almost) that was vulnerable to the ::$DATA IIS problem. I took his index.cfm and emailed it to him, with some explanation and a couple of links. I recieved a nice thank you note, which I thought was appropriate. Your attitude makes me feel like I should have kept my mouth shut for fear of p[ros|ers]ecution. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
RE: Security holes revisited
It could be possible. Consider a protocol that utilized public-key encryption. Every packet would have to be signed with the sender's private key. Of course, anonymity goes completely out the window, but faking return-addresses would be impossible. Faking return addresses seems to be fairly essential to TCP/IP flavored DOS attacks. -Tim At 08:50 PM 00/04/05 -0400, you wrote: I'm not sure I follow. I know a decent amount about protocols and networking and, to my knowledge, there is no way, at the protocol level, to stop a DoS attack. I don't care how efficient the protocol is, if the server gets overloaded with requests, it can't provide service to every request, therefore service is denied (DoS). You can implement some QoS tools which will allow you to selectively service certain requests or protocols and/or use your router or firewall effectively but, again, these tools also have limits which, when reached, prevent the servicing of further requests (DoS). As a more digestible example, if you and all your co-workers try to retrieve your email at the same time then some of the requests will take longer than others. You frequently hear people say things like, "the mail server is slow today." What is happening is an unintentional denial or reduction of service. Hmmm, using that example, what's it called if everyone in your building flushes the toilet at the same time :) Steve -Original Message- From: Jennifer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 8:01 PM To: [EMAIL PROTECTED] Subject: RE: Security holes revisited At 07:32 PM 4/5/00 -0400, you wrote: Finally, if you follow your scanning example to its logical extreme, then denial of service attacks are just fine; they don't take advantage of any target vulnerabilities. That is not true. DOS does take advantage of a target vulnerability. The vulnerability isn't on the attacked computer, but in http itself. Other transfer protocols don't have this problem. Supposedly, there is one available with basically the same capabilities as http but that doesn't make sites vulnerable to DOS attacks. It is more private also, but the industry as a whole would have to shift to it and I don't see that happening any time soon. -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. --- --- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body. Tim Lieberman Take a break and have a listen, Electric Mind Control Do It NOW: Workshop Funk Bakery http://www.mp3.com/emcw -- Archives: http://www.eGroups.com/list/cf-talk To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
Re: (admin) Re: Is HomeSite Soon To Be History?
Products can't be under NDA - only people who signed NDAs can be under NDAs. Products are incapable of signing contracts. Also, I have signed no such contract. Therefore it ought to be legal for me to talk about such a product whenever I want. Perhaps the original poster was under NDA, but that should hardly affect the rest of the list population. If Macromedia has a problem, they'll have to take it up with whomever violated said NDA. my 2c -Tim At 09:56 PM 00/04/05 -0400, you wrote: Please note that this product is still under NDA from what I know and those who are beta testing it should not be speaking about it on the list. Anything that is under NDA should NEVER be posted to the list. The last thing we all need is a company coming down on us for 'breaking' NDA. That being said, let me say that any 'press releases' like this should have a header on the subject line announcing themselves as such. WTF? What's going on here? Using a listserv to SPAM the entire CF community, and under the weak guise of a query into the viability of HomeSite? This is quite lame. I hope that Mike does not allow this to continue. Steve -Original Message- From: WorldNet [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 05, 2000 8:54 PM To: CF-Talk Subject: Is HomeSite Soon To Be History? HomeSite is the best and most popular development tool around *but* is extremely vulnerable to the fact that developers can no longer afford to *not* also use a layout-page-code generator in conjunction with HomeSite or ***as a total replacement*** to be 100% productive. It seems Macromedia has not been as asleep at the wheel and I wonder what the near future will bring...Consider this announcement from Macromedia... Macromedia announces code name UltraDev at Internet World today. What is UltraDev? Designed specifically for application development, UltraDev is a brand new product based on the Dreamweaver core architecture. UltraDev is the first solution to support ASP, JSP and CFML within a single design environment. Once UltraDev ships it will allow you to: 1. Create professional web applications UltraDev provides everything you need to build, manage, and deploy dynamic, database-driven Web applications. 2. Maintain total control over code UltraDev is the only product with visual and source editing for total control over source code. 3. Connect easily to databases Quickly connect existing, static web pages to any ODBC, JDBC, or ADO database including Oracle, Sybase, Informix, Microsoft SQL Server and Microsoft Access. 4. View server-side data in the workspace Save time and avoid repetitive tasks by viewing, testing, and editing live data returned from the application server in your workspace. 5. Build for industry-standard servers UltraDev is the only solution that lets you build ASP, JSP, and Cold Fusion sites in one single design environment. Build sites for robust industry servers like Microsoft IIS, Allaire Cold Fusion, IBM Websphere, BEA WebLogic, and Netscape Enterprise Server. 6. Create robust enterprise-ready Web applications Through extensibility, UltraDev integrates with other leading servers, Web applications and e-commerce solutions. UltraDev is NOT a replacement to Dreamweaver, it's a new standalone product built on the Dreamweaver core architecture. UltraDev IS the replacement to Drumbeat. Macromedia is not planning to rev Drumbeat. UltraDev is expected to ship in June. FAQ What is the difference between Dreamweaver and UltraDev? Dreamweaver is a visual design solution for creating HTML web sites. While Dreamweaver is open to integrating with leading web application servers, it is not engineered for visually creating web applications. UltraDev was built specifically for creating dynamic Web applications using technologies like ASP, JSP, and CFML. What is the price of UltraDev? Macromedia has not yet announced pricing for UltraDev. However, it will be priced competitively with other Web application development environments. I am a Macromedia customer and I currently develop Web applications. Will I be able to purchase UltraDev for a special price? Yes, but you must register your Macromedia product to qualify for any special offer. Is UltraDev an add-on to Dreamweaver? No, it is a new stand-alone product that is designed to meet the specific needs of Web application developers. Does UltraDev replace Drumbeat? Yes. When UltraDev ships it will replace Drumbeat as Macromedia's solution for Web application development. Will there be an upgrade path from Drumbeat to UltraDev? Yes, registered users of Drumbeat will be offered an upgrade at a very competitive price. Will you continue to support Drumbeat? Yes, we will continue to provide Drumbeat technical support through the end of the year. Does this mean you won't be updating Drumbeat? Correct, UltraDev replaces Drumbeat as the Macromedia solution for creating
