RE: Allaire security problem - anyone know solution?

2000-08-04 Thread Dave Watts 

> Your comments raise a simple question:
>
> > 2. Remove the right to read files from whatever user the CF server is
> > running as (typically SYSTEM). All CF needs to be able to do
> > is execute.
>
> I presume this will not affect reading the contents of a file with
> cffile/read ??

No, I'd guess that it would affect reading the contents of files using
CFFILE. You'd have to change permissions appropriately for whatever files
you want to read with CFFILE.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-04 Thread Ann Marie Thurmond 

Courtesy of Nathan from the BACFUG mailing list:

An easy way to patch it is to go into IIS and remove the .htr extension in
the
Configuration of ISAPI extensions.

_
Date: Thu, 3 Aug 2000 20:49:53 -0700
From: "Mooner Ent" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Re: Allaire security problem - anyone know solution?
Message-ID: <00f601bffdc7$0caa9b90$7b1610cf@desktop>

Allaire security bulletin says

Originally Posted: May 22, 2000
Last Updated: May 22, 2000

Why are we just finding out that our entire Server side code can be read???
I check the security section often, did I over look it?

We found out about DATA much sooner.

Rick



Excuse the rant.
- Original Message -
From: "Daniel J. Cody" <[EMAIL PROTECTED]>
Newsgroups: cf-talk
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 9:46 AM
Subject: Re: Allaire security problem - anyone know solution?


> Dave, I wasn't able to reproduce this on CF 4.5.1 on Linux+Apache. I
> think this might be more of an IIS issue than a CF one. Check out
> http://www.securityfocus.com/focus/microsoft/iis/iismain.html for more
> info on .htr issues.
>
> .djc.
>
> Dave Wilson wrote:
> >
> > Hi all,
> >
> > One of my hosting clients has just made me aware of this major security
> > problem and I'm wondering if anyone knows how to eliminate it?
> >
> > Try calling the application.cfm template on any CF site with +.htr
appended
> > to the end of the url. You'll first see a blank page. Now hit
refresh/reload
> > and you'll see the full code of said application.cfm
> >
> > e.g. http://www.support.alllaire.com/application.cfm+.htr
> >
> > Can someone please tell me there is a patch for this. It seems to happen
on
> > all CFserver versions 4.x + running IS4.0 with Service pack 5
> --

> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.


__
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

--

Date: Fri, 4 Aug 2000 09:45:45 +0200
From: "Johan Coens" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: RE: Allaire security problem - anyone know solution?
Message-ID: <[EMAIL PROTECTED]>

One easy solution to do:
CFENCRYPT it



-Original Message-
From: Mooner Ent [mailto:[EMAIL PROTECTED]]
Sent: vrijdag 4 augustus 2000 5:50
To: [EMAIL PROTECTED]
Subject: Re: Allaire security problem - anyone know solution?


Allaire security bulletin says

Originally Posted: May 22, 2000
Last Updated: May 22, 2000

Why are we just finding out that our entire Server side code can be read???
I check the security section often, did I over look it?

We found out about DATA much sooner.

Rick



Excuse the rant.
- Original Message -
From: "Daniel J. Cody" <[EMAIL PROTECTED]>
Newsgroups: cf-talk
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 9:46 AM
Subject: Re: Allaire security problem - anyone know solution?


> Dave, I wasn't able to reproduce this on CF 4.5.1 on Linux+Apache. I
> think this might be more of an IIS issue than a CF one. Check out
> http://www.securityfocus.com/focus/microsoft/iis/iismain.html for more
> info on .htr issues.
>
> .djc.
>
> Dave Wilson wrote:
> >
> > Hi all,
> >
> > One of my hosting clients has just made me aware of this major security
> > problem and I'm wondering if anyone knows how to eliminate it?
> >
> > Try calling the application.cfm template on any CF site with +.htr
appended
> > to the end of the url. You'll first see a blank page. Now hit
refresh/reload
> > and you'll see the full code of said application.cfm
> >
> > e.g. http://www.support.alllaire.com/application.cfm+.htr
> >
> > Can someone please tell me there is a patch for this. It seems to happen
on
> > all CFserver versions 4.x + running IS4.0 with Service pack 5
> --

> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.


__
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
---

RE: Allaire security problem - anyone know solution? - RTM

2000-08-04 Thread Cary Gordon 

I suggest that everyone read the Microsoft Security bulletin on this 
subject - 
.  I also 
highly recommend that anyone administering IIS subscribe to the bulletins - 
its free.

Cary

At 03:05 PM 8/3/2000 -0400, you wrote:
>Dave,
>
>Unless you're using an application which specifically utilizes ".htr",
>Microsoft is recommending removing the association in IIS. Once you do that,
>anyone trying that trick will get a 404 error.
>
>HTH,
>
>John
>
>-Original Message-
>From: Dave Wilson [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, August 03, 2000 12:27 PM
>To: [EMAIL PROTECTED]
>Subject: Allaire security problem - anyone know solution?
>
>
>Hi all,
>
>One of my hosting clients has just made me aware of this major security
>problem and I'm wondering if anyone knows how to eliminate it?
>
>Try calling the application.cfm template on any CF site with +.htr appended
>to the end of the url. You'll first see a blank page. Now hit refresh/reload
>and you'll see the full code of said application.cfm
>
>e.g. http://www.support.alllaire.com/application.cfm+.htr
>
>Can someone please tell me there is a patch for this. It seems to happen on
>all CFserver versions 4.x + running IS4.0 with Service pack 5
>
>Dave
>
>Dave Wilson
>Internet Technology Manager,
>BizNet Solutions
>
>
>Co-Founder CFUG Ireland
>http://www.cfug.ie
>
>224, Lisburn Road
>Belfast BT9 6GE
>
>Tel: 02890 225 776
>Fax: 02890 223 223
>web: http://www.biznet-solutions.com
>
>email: [EMAIL PROTECTED]
>
>
>--
>Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
>To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in
>the body.
>--
>Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
>To Unsubscribe visit 
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or 
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in 
>the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-04 Thread Robert Forsyth 

I've tried this on 10 different IIS servers with different CF versions, different 
Service Packs and configurations and I cannot get it to reproduce.

Robert Forsyth
Director of Web Operations
Irides, LLC
Phone: 202-364-7831
  Fax: 202-364-2481

-Original Message-
From: Hoffman, Joe (CIT) [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 04, 2000 10:11 AM
To: [EMAIL PROTECTED]
Subject: RE: Allaire security problem - anyone know solution?


As usual,  no problem with O'Reilly WebSite Pro here.

>anyone know solution?
Yes ... for starters it can be found here
http://website.oreilly.com/wspro2/demo.cfm

Joe Hoffman mailto:[EMAIL PROTECTED]
National Institutes of Health 
Center for Information Technology 
Division of Computer System Services

-Original Message-
From: Steve Pierce [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 9:14 PM
To: [EMAIL PROTECTED]
Subject: RE: Allaire security problem - anyone know solution?


Problem doesn't seem to impact O'Reilly Website servers, only IIS.

 - Steve

Steve Pierce, HDL
"Co-Location starting $99 per month, no setup fee"
(734) 482-9682 | mailto:[EMAIL PROTECTED] | http://HDL.com



-Original Message-
From: Robert Everland [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 4:44 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?


http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full

-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebarRsts&bodyRsts/cf_talk or send a message 
to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-04 Thread Hoffman, Joe (CIT) 

As usual,  no problem with O'Reilly WebSite Pro here.

>anyone know solution?
Yes ... for starters it can be found here
http://website.oreilly.com/wspro2/demo.cfm

Joe Hoffman mailto:[EMAIL PROTECTED]
National Institutes of Health 
Center for Information Technology 
Division of Computer System Services

-Original Message-
From: Steve Pierce [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 9:14 PM
To: [EMAIL PROTECTED]
Subject: RE: Allaire security problem - anyone know solution?


Problem doesn't seem to impact O'Reilly Website servers, only IIS.

 - Steve

Steve Pierce, HDL
"Co-Location starting $99 per month, no setup fee"
(734) 482-9682 | mailto:[EMAIL PROTECTED] | http://HDL.com



-Original Message-
From: Robert Everland [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 4:44 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?


http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full

-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-04 Thread Rich Wild 

>It only seems to work if you know
>the directory where application.cfm exists.

Careful Dan, it works on every file - try it

--
Rich Wild
Senior Web Designer

---
e-mango.com ltd  Tel: 01202 587 400
Lansdowne Place  Fax: 01202 587 401
17 Holdenhurst Road
Bournemouth   Mailto:[EMAIL PROTECTED]
BH8 8EW, UK  http://www.e-mango.com
---
This message may contain information which is legally
privileged and/or confidential.  If you are not the
intended recipient, you are hereby notified that any
unauthorised disclosure, copying, distribution or use
of this information is strictly prohibited. Such
notification notwithstanding, any comments, opinions,
information or conclusions expressed in this message
are those of the originator, not of e-mango.com ltd,
unless otherwise explicitly and independently indicated
by an authorised representative of e-mango.com ltd.
---
 

-Original Message-
From: Dan Haley [mailto:[EMAIL PROTECTED]]
Sent: 03 August 2000 19:10
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?


Wow, that's ugly.  You don't even need to do the refresh, just view the
source of the page and it is right there.  It only seems to work if you know
the directory where application.cfm exists.  If you are operating with a
single application.cfm you can move it up one directory, outside of the web
root, and it doesn't work.  It also doesn't appear to work with other .cfm
files.


Don't use application.cfm - use app_globals.cfm.  :)


Dan

-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 9:27 AM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-04 Thread Johan Coens 

What about CFENCODE .. I know it's not a solultion, but it is a way to
'protect' your code. This .htr invulnerability is one, but sure there will
come other.

-Johan

-Original Message-
From: Rick Osborne [mailto:[EMAIL PROTECTED]]
Sent: vrijdag 4 augustus 2000 10:03
To: [EMAIL PROTECTED]
Subject: RE: Allaire security problem - anyone know solution?


You're kidding, right?

http://devex.allaire.com/developer/gallery/info.cfm?ID=B61C031D-2CE5-11D4-83
D700508B94F85A&method=Full
http://www.rixsoft.com/ColdFusion/CFX/CFMEncrypt/
http://packetstorm.securify.com/9907-exploits/cfdecrypt.txt
http://shroom.dv8.org/bmp/crypt.cgi
http://www.rewted.org/exploits/sorted-by-date/07-1999/cfdecrypt.c

CF Encryption is broken.  It'll keep honest people out of your code, but it
is by no means a "solution".

(Sorry, I'm not trying to be mean or anything, I just don't think it's good
that people put all their eggs in one basket.  Or, in this case, all of
their faith in a broken system.)

-Rick

-Original Message-
From: Johan Coens [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 04, 2000 3:46 AM
To: [EMAIL PROTECTED]
Subject: RE: Allaire security problem - anyone know solution?


One easy solution to do:
CFENCRYPT it



-Original Message-
From: Mooner Ent [mailto:[EMAIL PROTECTED]]
Sent: vrijdag 4 augustus 2000 5:50
To: [EMAIL PROTECTED]
Subject: Re: Allaire security problem - anyone know solution?


Allaire security bulletin says

Originally Posted: May 22, 2000
Last Updated: May 22, 2000

Why are we just finding out that our entire Server side code can be read???
I check the security section often, did I over look it?

We found out about DATA much sooner.

Rick



Excuse the rant.


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-04 Thread Rick Osborne 

You're kidding, right?

http://devex.allaire.com/developer/gallery/info.cfm?ID=B61C031D-2CE5-11D4-83
D700508B94F85A&method=Full
http://www.rixsoft.com/ColdFusion/CFX/CFMEncrypt/
http://packetstorm.securify.com/9907-exploits/cfdecrypt.txt
http://shroom.dv8.org/bmp/crypt.cgi
http://www.rewted.org/exploits/sorted-by-date/07-1999/cfdecrypt.c

CF Encryption is broken.  It'll keep honest people out of your code, but it
is by no means a "solution".

(Sorry, I'm not trying to be mean or anything, I just don't think it's good
that people put all their eggs in one basket.  Or, in this case, all of
their faith in a broken system.)

-Rick

-Original Message-
From: Johan Coens [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 04, 2000 3:46 AM
To: [EMAIL PROTECTED]
Subject: RE: Allaire security problem - anyone know solution?


One easy solution to do:
CFENCRYPT it



-Original Message-
From: Mooner Ent [mailto:[EMAIL PROTECTED]]
Sent: vrijdag 4 augustus 2000 5:50
To: [EMAIL PROTECTED]
Subject: Re: Allaire security problem - anyone know solution?


Allaire security bulletin says

Originally Posted: May 22, 2000
Last Updated: May 22, 2000

Why are we just finding out that our entire Server side code can be read???
I check the security section often, did I over look it?

We found out about DATA much sooner.

Rick



Excuse the rant.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-04 Thread Johan Coens 

One easy solution to do:
CFENCRYPT it



-Original Message-
From: Mooner Ent [mailto:[EMAIL PROTECTED]]
Sent: vrijdag 4 augustus 2000 5:50
To: [EMAIL PROTECTED]
Subject: Re: Allaire security problem - anyone know solution?


Allaire security bulletin says

Originally Posted: May 22, 2000
Last Updated: May 22, 2000

Why are we just finding out that our entire Server side code can be read???
I check the security section often, did I over look it?

We found out about DATA much sooner.

Rick



Excuse the rant.
- Original Message -
From: "Daniel J. Cody" <[EMAIL PROTECTED]>
Newsgroups: cf-talk
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 9:46 AM
Subject: Re: Allaire security problem - anyone know solution?


> Dave, I wasn't able to reproduce this on CF 4.5.1 on Linux+Apache. I
> think this might be more of an IIS issue than a CF one. Check out
> http://www.securityfocus.com/focus/microsoft/iis/iismain.html for more
> info on .htr issues.
>
> .djc.
>
> Dave Wilson wrote:
> >
> > Hi all,
> >
> > One of my hosting clients has just made me aware of this major security
> > problem and I'm wondering if anyone knows how to eliminate it?
> >
> > Try calling the application.cfm template on any CF site with +.htr
appended
> > to the end of the url. You'll first see a blank page. Now hit
refresh/reload
> > and you'll see the full code of said application.cfm
> >
> > e.g. http://www.support.alllaire.com/application.cfm+.htr
> >
> > Can someone please tell me there is a patch for this. It seems to happen
on
> > all CFserver versions 4.x + running IS4.0 with Service pack 5
> --

> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.


__
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-04 Thread Mooner Ent 

Allaire security bulletin says

Originally Posted: May 22, 2000
Last Updated: May 22, 2000

Why are we just finding out that our entire Server side code can be read???
I check the security section often, did I over look it?

We found out about DATA much sooner.

Rick



Excuse the rant.
- Original Message -
From: "Daniel J. Cody" <[EMAIL PROTECTED]>
Newsgroups: cf-talk
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 9:46 AM
Subject: Re: Allaire security problem - anyone know solution?


> Dave, I wasn't able to reproduce this on CF 4.5.1 on Linux+Apache. I
> think this might be more of an IIS issue than a CF one. Check out
> http://www.securityfocus.com/focus/microsoft/iis/iismain.html for more
> info on .htr issues.
>
> .djc.
>
> Dave Wilson wrote:
> >
> > Hi all,
> >
> > One of my hosting clients has just made me aware of this major security
> > problem and I'm wondering if anyone knows how to eliminate it?
> >
> > Try calling the application.cfm template on any CF site with +.htr
appended
> > to the end of the url. You'll first see a blank page. Now hit
refresh/reload
> > and you'll see the full code of said application.cfm
> >
> > e.g. http://www.support.alllaire.com/application.cfm+.htr
> >
> > Can someone please tell me there is a patch for this. It seems to happen
on
> > all CFserver versions 4.x + running IS4.0 with Service pack 5
> --

> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.


__
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-03 Thread Jared Clinton 

Its in a CFQuery, so its just passing the command to whatever the dsn points to.

[EMAIL PROTECTED] wrote:

> > Please see:
> >
> > http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full
>
> And then *really* see http://beta.allaire.com/login.cfm+.htr. They should eat their 
>own dogfood, so to speak.
>
> BTW, what's up with this from that page:
>
>   {CALL ValidateUser('#Form.UserName#', '#Form.Password#')}
>
> ... is that Spectra code, or some CFv5 function call code??
>
> -Ron
>
> 
>ÿÿð+r¯zÏá¶Úÿÿü0ÃùšŠ_Ú­Èb½ïÜ¢oÜûZ–Oá¢ë¡÷î²*'ýÊ&ý:žË›±Êâmëâ²+a¶Úÿÿü0ÃøhºÇ¨}û¬Š‰ÿr‰¿Šw^Ç÷›û"uæÚ²Ûÿn‡r¶ÏÜûZ–J+±éÝjg¬±¨¶‡þÖ¥“úު笷øhºÇ¨}û¬Š‰ÿr‰°ŠØÿº{.nÇ+‰·ÿŠ{ayº
>

­Èb½ë!¶Úÿ
0™¨¥j·!Š÷œ¢oÜ~Ö¥’.±ê~ë"¢w(›ôèR{.nÇ+‰·¯ŠÈ­†Ûiÿü0Â.±ê~ë"¢w(›ø§uì\~k"uæÚ®X¬¶Æèw)b²Û?qûZ–J+±éÝjg¬±¨¶‡µ©d­ê®zËa¢ë¡÷î²*'r‰°ŠØnžË›±Êâm觶›¡Ü

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread David Sparkman 

Go to

http://www.ablecommerce.com/index.cfm+.htr

Then hit refresh. It is a problem on a lot of sights. And is not limited to
coldfusion, or the application.cfm

Thanks,
David Sparkman

-Original Message-
From: Roberts, Jesse D [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 2:05 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?


I can't reproduce your results on any of the 3 systems I tried, including
Allaire's site.  Do you have any more information?

> -Original Message-
> From: Dave Wilson [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, August 03, 2000 9:27 AM
> To:   [EMAIL PROTECTED]
> Subject:  Allaire security problem - anyone know solution?
>
> Hi all,
>
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF site with +.htr
> appended
> to the end of the url. You'll first see a blank page. Now hit
> refresh/reload
> and you'll see the full code of said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
>
> Can someone please tell me there is a patch for this. It seems to happen
> on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
>
> Dave
>
> Dave Wilson
> Internet Technology Manager,
> BizNet Solutions
>
> 
> Co-Founder CFUG Ireland
> http://www.cfug.ie
>
> 224, Lisburn Road
> Belfast BT9 6GE
>
> Tel: 02890 225 776
> Fax: 02890 223 223
> web: http://www.biznet-solutions.com
>
> email: [EMAIL PROTECTED]
>
> --
> 
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Jon Tillman 

On Thu, 03 Aug 2000, Dan O'Keefe spewed forth into the void:
> http://support.allaire.com/application.cfm+.htr
> 
> It also appears to only be in IE.

nope, works in Netscape too, but you have to "view source"

> 
> --
> Dan O'Keefe
> TriPoint Technologies
> [EMAIL PROTECTED]
> 954.501.3113
> 
> -> -Original Message-
> -> From: Dave Wilson [mailto:[EMAIL PROTECTED]]
> -> Sent: Thursday, August 03, 2000 11:27 AM
> -> To: [EMAIL PROTECTED]
> -> Subject: Allaire security problem - anyone know solution?
> ->
> ->
> -> Hi all,
> ->
> -> One of my hosting clients has just made me aware of this major security
> -> problem and I'm wondering if anyone knows how to eliminate it?
> ->
> -> Try calling the application.cfm template on any CF site with
> -> +.htr appended
> -> to the end of the url. You'll first see a blank page. Now hit
> -> refresh/reload
> -> and you'll see the full code of said application.cfm
> ->
> -> e.g. http://www.support.alllaire.com/application.cfm+.htr
> ->
> -> Can someone please tell me there is a patch for this. It seems
> -> to happen on
> -> all CFserver versions 4.x + running IS4.0 with Service pack 5
> ->
> -> Dave
> ->
> -> Dave Wilson
> -> Internet Technology Manager,
> -> BizNet Solutions
> ->
> -> 
> -> Co-Founder CFUG Ireland
> -> http://www.cfug.ie
> ->
> -> 224, Lisburn Road
> -> Belfast BT9 6GE
> ->
> -> Tel: 02890 225 776
> -> Fax: 02890 223 223
> -> web: http://www.biznet-solutions.com
> ->
> -> email: [EMAIL PROTECTED]
> ->
> -> -
> -> -
> -> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> -> To Unsubscribe visit
> -> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/c
> f_talk or send a message to [EMAIL PROTECTED] with
> 'unsubscribe' in the body.
> 
> --
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit 
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
-- 
:::
 Jon Tillman
 LINUX USER: #141163
 ICQ: 4015362
 [EMAIL PROTECTED]
 http://tillman.freehosting.net
:::
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Steve Pierce 

Problem doesn't seem to impact O'Reilly Website servers, only IIS.

 - Steve

Steve Pierce, HDL
"Co-Location starting $99 per month, no setup fee"
(734) 482-9682 | mailto:[EMAIL PROTECTED] | http://HDL.com



-Original Message-
From: Robert Everland [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 4:44 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?


http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full

-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-03 Thread Todd Ashworth 

It works with ALL .cfm files for me (on the servers I don't have updated yet
anyway).  On some, you don't even have to view source.  It just dumps the
 stuff right to the screen
.
Todd

- Original Message -
From: "Dan Haley" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 2:09 PM
Subject: RE: Allaire security problem - anyone know solution?

> It also doesn't appear to work with other .cfm files.



> Hi all,
>
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF site with +.htr
appended
> to the end of the url. You'll first see a blank page. Now hit
refresh/reload
> and you'll see the full code of said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
>
> Can someone please tell me there is a patch for this. It seems to happen
on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
>
> Dave
>
> Dave Wilson
> Internet Technology Manager,
> BizNet Solutions
>
> 
> Co-Founder CFUG Ireland
> http://www.cfug.ie
>
> 224, Lisburn Road
> Belfast BT9 6GE
>
> Tel: 02890 225 776
> Fax: 02890 223 223
> web: http://www.biznet-solutions.com
>
> email: [EMAIL PROTECTED]
>
> --
--
> --
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
> --

> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
>


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-03 Thread Dan Blickensderfer 

We are running Service Pack 6a and it happen to us.  I did notice that when
I tried to do it with an encrypted application.cfm.  I just got scrambled
code.

It's definitely an IIS issue.  I would agree on removing the .htr out of the
IIS mapping.

Dan


- Original Message -
From: "Jonathan Broome" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 3:36 PM
Subject: RE: Allaire security problem - anyone know solution?


>
> On my sites using SP6a, I couldn't get this to work.  On other sites, I
> could.  Unless someone's got a better idea, I recommend the Service Pack.
>
> Jonathan
>
>
> -Original Message-
> From: Dave Wilson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 03, 2000 12:27 PM
> To: [EMAIL PROTECTED]
> Subject: Allaire security problem - anyone know solution?
>
>
> Hi all,
>
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF site with +.htr
appended
> to the end of the url. You'll first see a blank page. Now hit
refresh/reload
> and you'll see the full code of said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
>
> Can someone please tell me there is a patch for this. It seems to happen
on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
>
> Dave
>
> Dave Wilson
> Internet Technology Manager,
> BizNet Solutions
>
> 
> Co-Founder CFUG Ireland
> http://www.cfug.ie
>
> 224, Lisburn Road
> Belfast BT9 6GE
>
> Tel: 02890 225 776
> Fax: 02890 223 223
> web: http://www.biznet-solutions.com
>
> email: [EMAIL PROTECTED]
>
> --
--
> --
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
> --

> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-03 Thread peter 

only one i came up with was that allaire was spelt wrong... try removin a
few L's from the middle and givin that a try, oh, and i also had to take off
the "www" from the URL below... worked after that when i tried on allaire
site.

- Original Message -
From: "Roberts, Jesse D" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 12:05 PM
Subject: RE: Allaire security problem - anyone know solution?


> I can't reproduce your results on any of the 3 systems I tried, including
> Allaire's site.  Do you have any more information?
>
> > -Original Message-
> > From: Dave Wilson [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, August 03, 2000 9:27 AM
> > To: [EMAIL PROTECTED]
> > Subject: Allaire security problem - anyone know solution?
> >
> > Hi all,
> >
> > One of my hosting clients has just made me aware of this major security
> > problem and I'm wondering if anyone knows how to eliminate it?
> >
> > Try calling the application.cfm template on any CF site with +.htr
> > appended
> > to the end of the url. You'll first see a blank page. Now hit
> > refresh/reload
> > and you'll see the full code of said application.cfm
> >
> > e.g. http://www.support.alllaire.com/application.cfm+.htr
> >
> > Can someone please tell me there is a patch for this. It seems to happen
> > on
> > all CFserver versions 4.x + running IS4.0 with Service pack 5
> >
> > Dave
> >
> > Dave Wilson
> > Internet Technology Manager,
> > BizNet Solutions
> >
> > 
> > Co-Founder CFUG Ireland
> > http://www.cfug.ie
> >
> > 224, Lisburn Road
> > Belfast BT9 6GE
> >
> > Tel: 02890 225 776
> > Fax: 02890 223 223
> > web: http://www.biznet-solutions.com
> >
> > email: [EMAIL PROTECTED]
> >
>
> --
> > 
> > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
> > send a message to [EMAIL PROTECTED] with 'unsubscribe'
in
> > the body.
> --

> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
>

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-03 Thread Jon Tillman 

On Thu, 03 Aug 2000, Dave Wilson spewed forth into the void:
> Hi all,
> 
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
> 
> Try calling the application.cfm template on any CF site with +.htr appended
> to the end of the url. You'll first see a blank page. Now hit refresh/reload
> and you'll see the full code of said application.cfm
> 
> e.g. http://www.support.alllaire.com/application.cfm+.htr
> 
> Can someone please tell me there is a patch for this. It seems to happen on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
> 
> Dave
> 

When I tried it, it didnt work exactly as stated, but I could view the source
using the Netscape "View Source" option.
A problem indeed

-- 
:::
 Jon Tillman
 LINUX USER: #141163
 ICQ: 4015362
 [EMAIL PROTECTED]
 http://tillman.freehosting.net
:::
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Jason Egan 

>> app_globals.cfm???

it isn't because it is a certain template - just that it is a template... it
does the EXACT same thing with app_globals.cfm

-Original Message-
From: Dan Haley [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:10 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?


Wow, that's ugly.  You don't even need to do the refresh, just view the
source of the page and it is right there.  It only seems to work if you know
the directory where application.cfm exists.  If you are operating with a
single application.cfm you can move it up one directory, outside of the web
root, and it doesn't work.  It also doesn't appear to work with other .cfm
files.


Don't use application.cfm - use app_globals.cfm.  :)


Dan

-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 9:27 AM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread ron 

> Please see:
> 
> http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full

And then *really* see http://beta.allaire.com/login.cfm+.htr. They should eat their 
own dogfood, so to speak.

BTW, what's up with this from that page:

  {CALL ValidateUser('#Form.UserName#', '#Form.Password#')} 

... is that Spectra code, or some CFv5 function call code??

-Ron



­Èb½ë!¶Úÿ
0™¨¥j·!Š÷œ¢oÜ~Ö¥’.±ê~ë"¢w(›ôèR{.nÇ+‰·¯ŠÈ­†Ûiÿü0Â.±ê~ë"¢w(›ø§uì\~k"uæÚ®X¬¶Æèw)b²Û?qûZ–J+±éÝjg¬±¨¶‡µ©d­ê®zËa¢ë¡÷î²*'r‰°ŠØnžË›±Êâm觶›¡Ü

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Brian Thornton 

I found it in all of my sites... It's blank but in the source...

www.lvtb.com/application.cfm+.htr


At 01:40 PM 8/3/2000 -0500, you wrote:
>Is the web server software set up to handle 404 errors? I took a quick peek
>on a few sites, and it appears that when a 404 is handled gracefully, the
>hole does not exist.
>
>--
>Dan O'Keefe
>TriPoint Technologies
>[EMAIL PROTECTED]
>954.501.3113
>
>-> -Original Message-
>-> From: Dave Wilson [mailto:[EMAIL PROTECTED]]
>-> Sent: Thursday, August 03, 2000 11:27 AM
>-> To: [EMAIL PROTECTED]
>-> Subject: Allaire security problem - anyone know solution?
>->
>->
>-> Hi all,
>->
>-> One of my hosting clients has just made me aware of this major security
>-> problem and I'm wondering if anyone knows how to eliminate it?
>->
>-> Try calling the application.cfm template on any CF site with
>-> +.htr appended
>-> to the end of the url. You'll first see a blank page. Now hit
>-> refresh/reload
>-> and you'll see the full code of said application.cfm
>->
>-> e.g. http://www.support.alllaire.com/application.cfm+.htr
>->
>-> Can someone please tell me there is a patch for this. It seems
>-> to happen on
>-> all CFserver versions 4.x + running IS4.0 with Service pack 5
>->
>-> Dave
>->
>-> Dave Wilson
>-> Internet Technology Manager,
>-> BizNet Solutions
>->
>-> 
>-> Co-Founder CFUG Ireland
>-> http://www.cfug.ie
>->
>-> 224, Lisburn Road
>-> Belfast BT9 6GE
>->
>-> Tel: 02890 225 776
>-> Fax: 02890 223 223
>-> web: http://www.biznet-solutions.com
>->
>-> email: [EMAIL PROTECTED]
>->
>-> -
>-> -
>-> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
>-> To Unsubscribe visit
>-> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/c
>f_talk or send a message to [EMAIL PROTECTED] with
>'unsubscribe' in the body.
>
>--
>Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
>To Unsubscribe visit 
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or 
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in 
>the body.

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
Brian Thornton
The Internet Design Firm
910 16th Street #810
Denver, CO 80202
phone. 303.893.6628
[EMAIL PROTECTED]
www.tidf.com

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Brian L. Wolfsohn 

At 01:40 PM 8/3/00 , you wrote:

Dave,

As always, thanks for the wealth of information, explained clearly...

Your comments raise a simple question:

>2. Remove the right to read files from whatever user the CF server is
>running as (typically SYSTEM). All CF needs to be able to do is execute.

I presume this will not affect reading the contents of a file with 
cffile/read ??


>Again, both of these are things that you should already be doing on NT
>production web servers! If you do these things, you won't have to worry
>about the vast majority of IIS "exploits".


Brian L. Wolfsohnhttp://www.cus.com
CUS Business Systems Ft.Lauderdale,FL
Software for Auctioneers (954) 565-5600 Email:[EMAIL PROTECTED]
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Dave Watts 

> Wow, that's ugly. You don't even need to do the refresh,
> just view the source of the page and it is right there. It
> only seems to work if you know the directory where application.cfm
> exists. If you are operating with a single application.cfm
> you can move it up one directory, outside of the web root,
> and it doesn't work. It also doesn't appear to work with
> other .cfm files.
>
> 
>   Don't use application.cfm - use app_globals.cfm.  :)
> 

No, it works with any CFM file, or any other script file. Again, if you
don't need to use an extension, remove it from IIS, and you'll be safe from
these wacky problems.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread ron 

> Try calling the application.cfm template on any CF site with
> +.htr appended
> to the end of the url. You'll first see a blank page. Now hit
> refresh/reload
> and you'll see the full code of said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr

And they're definitely not alone. Try this one:

 http://www.usmint.gov/catalog/catalogb.cfm+.htr

I'd list some other big-time CF sites that are open works of art, but I
can't stand to do that with anyone besides the goverment.

GO CHECK YOUR SERVERS!!

-Ron


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution? *FIX*

2000-08-03 Thread Jonathan Broome 


Oh, look at that.  Good info, bad English.  I hate when I notice those
things right *after* I hit the send button.

Translation: applying SP6a, then the hotfix I linked to, fixed the problem.

Jonathan


-Original Message-
From: Jonathan Broome 
Sent: Thursday, August 03, 2000 5:27 PM
To: Jonathan Broome; '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution? *FIX*



Dave,

I was only half-right earlier.  Loading SP6a on a web server that had this
vulnerability *did not* fix the issue.  However, after loading SP6a *and*
the hotfix available at
http://www.microsoft.com/technet/support/kb.asp?ID=260069 did.

I tested and could no longer produce the visible source code behavior.

Jonathan


-Original Message-
From: Jonathan Broome 
Sent: Thursday, August 03, 2000 3:37 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?



On my sites using SP6a, I couldn't get this to work.  On other sites, I
could.  Unless someone's got a better idea, I recommend the Service Pack.

Jonathan


-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Dan O'Keefe 

That fixed it for me

Dan

-> -Original Message-
-> From: Adam Breaux [mailto:[EMAIL PROTECTED]]
-> Sent: Thursday, August 03, 2000 12:31 PM
-> To: [EMAIL PROTECTED]
-> Subject: Re: Allaire security problem - anyone know solution?
->
->
-> Remove .htr mappings from your web servers unless you need that
-> functionality. It's a know IIS hole.
->
-> - Original Message -
-> From: "Dave Wilson" <[EMAIL PROTECTED]>
-> To: <[EMAIL PROTECTED]>
-> Sent: Thursday, August 03, 2000 12:26 PM
-> Subject: Allaire security problem - anyone know solution?
->
->
-> > Hi all,
-> >
-> > One of my hosting clients has just made me aware of this major security
-> > problem and I'm wondering if anyone knows how to eliminate it?
-> >
-> > Try calling the application.cfm template on any CF site with +.htr
-> appended
-> > to the end of the url. You'll first see a blank page. Now hit
-> refresh/reload
-> > and you'll see the full code of said application.cfm
-> >
-> > e.g. http://www.support.alllaire.com/application.cfm+.htr
-> >
-> > Can someone please tell me there is a patch for this. It seems
-> to happen
-> on
-> > all CFserver versions 4.x + running IS4.0 with Service pack 5
-> >
-> > Dave
-> >
-> > Dave Wilson
-> > Internet Technology Manager,
-> > BizNet Solutions
-> >
-> > 
-> > Co-Founder CFUG Ireland
-> > http://www.cfug.ie
-> >
-> > 224, Lisburn Road
-> > Belfast BT9 6GE
-> >
-> > Tel: 02890 225 776
-> > Fax: 02890 223 223
-> > web: http://www.biznet-solutions.com
-> >
-> > email: [EMAIL PROTECTED]
-> >
-> >
-> -
-> -
-> 
-> > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
-> > To Unsubscribe visit
-> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/c
f_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
>


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution? *FIX*

2000-08-03 Thread Jonathan Broome 


Dave,

I was only half-right earlier.  Loading SP6a on a web server that had this
vulnerability *did not* fix the issue.  However, after loading SP6a *and*
the hotfix available at
http://www.microsoft.com/technet/support/kb.asp?ID=260069 did.

I tested and could no longer produce the visible source code behavior.

Jonathan


-Original Message-
From: Jonathan Broome 
Sent: Thursday, August 03, 2000 3:37 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Allaire security problem - anyone know solution?



On my sites using SP6a, I couldn't get this to work.  On other sites, I
could.  Unless someone's got a better idea, I recommend the Service Pack.

Jonathan


-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread ron 

> One of my hosting clients has just made me aware of this
> major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF site with
> +.htr appended
> to the end of the url. You'll first see a blank page. Now hit
> refresh/reload
> and you'll see the full code of said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
>
> Can someone please tell me there is a patch for this. It
> seems to happen on
> all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave,

In IIS, on the website in question, go to Properties | Home Directory |
Configuration | App Mappings, and remove the .htr extension from the
list. While you're there, add the mappings ".cfm::$DATA" and
".asp::$DATA" to be processed just like .cfm and .asp files, to
eliminate that other *very* common security hole.

Ron Allen Hornbaker
President/CTO
Humankind Systems, Inc.
http://humankindsystems.com
mailto:[EMAIL PROTECTED]



--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Robert Everland 

http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full

-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Robert Everland 

I am running 4.5 and it's happening to me though I can't get
support.allaire.com to do it.

Robert Everland III
Web Developer
Dixon Ticonderoga


-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-03 Thread Ken Wilson 

Does it on my NT4/SP5 boxes here. Also on one running Win2k Server. Does not
do it on the sites I manage running NT4/SP6.

Ken



- Original Message -
From: Dave Wilson <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 12:26 PM
Subject: Allaire security problem - anyone know solution?


> Hi all,
>
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF site with +.htr
appended
> to the end of the url. You'll first see a blank page. Now hit
refresh/reload
> and you'll see the full code of said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
>
> Can someone please tell me there is a patch for this. It seems to happen
on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
>
> Dave
>
> Dave Wilson
> Internet Technology Manager,
> BizNet Solutions
>
> 
> Co-Founder CFUG Ireland
> http://www.cfug.ie
>
> 224, Lisburn Road
> Belfast BT9 6GE
>
> Tel: 02890 225 776
> Fax: 02890 223 223
> web: http://www.biznet-solutions.com
>
> email: [EMAIL PROTECTED]
>
> --

> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Jonathan Broome 


On my sites using SP6a, I couldn't get this to work.  On other sites, I
could.  Unless someone's got a better idea, I recommend the Service Pack.

Jonathan


-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Kelly Matthews 

There must arleady be a patch on a CF site i have it doesnt work yet on 
another one it does. My guess is there is a patch available.
Kelly

---
Kelly Matthews
Internet Development Coordinator
AAAE
703.578.2509
[EMAIL PROTECTED]
http://www.airportnet.org
---

> -Original Message-
> From: Dave Wilson [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, August 03, 2000 12:27 PM
> To:   [EMAIL PROTECTED]
> Subject:  Allaire security problem - anyone know solution?
> 
> Hi all,
> 
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
> 
> Try calling the application.cfm template on any CF site with +.htr
> appended
> to the end of the url. You'll first see a blank page. Now hit
> refresh/reload
> and you'll see the full code of said application.cfm
> 
> e.g. http://www.support.alllaire.com/application.cfm+.htr
> 
> Can someone please tell me there is a patch for this. It seems to happen
> on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
> 
> Dave
> 
> Dave Wilson
> Internet Technology Manager,
> BizNet Solutions
> 
> 
> Co-Founder CFUG Ireland
> http://www.cfug.ie
> 
> 224, Lisburn Road
> Belfast BT9 6GE
> 
> Tel: 02890 225 776
> Fax: 02890 223 223
> web: http://www.biznet-solutions.com
> 
> email: [EMAIL PROTECTED]
> 
> --
> 
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Hales, John M 

Dave,

Unless you're using an application which specifically utilizes ".htr",
Microsoft is recommending removing the association in IIS. Once you do that,
anyone trying that trick will get a 404 error.

HTH,

John

-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Roberts, Jesse D 

I can't reproduce your results on any of the 3 systems I tried, including
Allaire's site.  Do you have any more information?

> -Original Message-
> From: Dave Wilson [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, August 03, 2000 9:27 AM
> To:   [EMAIL PROTECTED]
> Subject:  Allaire security problem - anyone know solution?
> 
> Hi all,
> 
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
> 
> Try calling the application.cfm template on any CF site with +.htr
> appended
> to the end of the url. You'll first see a blank page. Now hit
> refresh/reload
> and you'll see the full code of said application.cfm
> 
> e.g. http://www.support.alllaire.com/application.cfm+.htr
> 
> Can someone please tell me there is a patch for this. It seems to happen
> on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
> 
> Dave
> 
> Dave Wilson
> Internet Technology Manager,
> BizNet Solutions
> 
> 
> Co-Founder CFUG Ireland
> http://www.cfug.ie
> 
> 224, Lisburn Road
> Belfast BT9 6GE
> 
> Tel: 02890 225 776
> Fax: 02890 223 223
> web: http://www.biznet-solutions.com
> 
> email: [EMAIL PROTECTED]
> 
> --
> 
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Dan O'Keefe 

http://support.allaire.com/application.cfm+.htr

It also appears to only be in IE.

--
Dan O'Keefe
TriPoint Technologies
[EMAIL PROTECTED]
954.501.3113

-> -Original Message-
-> From: Dave Wilson [mailto:[EMAIL PROTECTED]]
-> Sent: Thursday, August 03, 2000 11:27 AM
-> To: [EMAIL PROTECTED]
-> Subject: Allaire security problem - anyone know solution?
->
->
-> Hi all,
->
-> One of my hosting clients has just made me aware of this major security
-> problem and I'm wondering if anyone knows how to eliminate it?
->
-> Try calling the application.cfm template on any CF site with
-> +.htr appended
-> to the end of the url. You'll first see a blank page. Now hit
-> refresh/reload
-> and you'll see the full code of said application.cfm
->
-> e.g. http://www.support.alllaire.com/application.cfm+.htr
->
-> Can someone please tell me there is a patch for this. It seems
-> to happen on
-> all CFserver versions 4.x + running IS4.0 with Service pack 5
->
-> Dave
->
-> Dave Wilson
-> Internet Technology Manager,
-> BizNet Solutions
->
-> 
-> Co-Founder CFUG Ireland
-> http://www.cfug.ie
->
-> 224, Lisburn Road
-> Belfast BT9 6GE
->
-> Tel: 02890 225 776
-> Fax: 02890 223 223
-> web: http://www.biznet-solutions.com
->
-> email: [EMAIL PROTECTED]
->
-> -
-> -
-> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
-> To Unsubscribe visit
-> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/c
f_talk or send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Dan O'Keefe 

Is the web server software set up to handle 404 errors? I took a quick peek
on a few sites, and it appears that when a 404 is handled gracefully, the
hole does not exist.

--
Dan O'Keefe
TriPoint Technologies
[EMAIL PROTECTED]
954.501.3113

-> -Original Message-
-> From: Dave Wilson [mailto:[EMAIL PROTECTED]]
-> Sent: Thursday, August 03, 2000 11:27 AM
-> To: [EMAIL PROTECTED]
-> Subject: Allaire security problem - anyone know solution?
->
->
-> Hi all,
->
-> One of my hosting clients has just made me aware of this major security
-> problem and I'm wondering if anyone knows how to eliminate it?
->
-> Try calling the application.cfm template on any CF site with
-> +.htr appended
-> to the end of the url. You'll first see a blank page. Now hit
-> refresh/reload
-> and you'll see the full code of said application.cfm
->
-> e.g. http://www.support.alllaire.com/application.cfm+.htr
->
-> Can someone please tell me there is a patch for this. It seems
-> to happen on
-> all CFserver versions 4.x + running IS4.0 with Service pack 5
->
-> Dave
->
-> Dave Wilson
-> Internet Technology Manager,
-> BizNet Solutions
->
-> 
-> Co-Founder CFUG Ireland
-> http://www.cfug.ie
->
-> 224, Lisburn Road
-> Belfast BT9 6GE
->
-> Tel: 02890 225 776
-> Fax: 02890 223 223
-> web: http://www.biznet-solutions.com
->
-> email: [EMAIL PROTECTED]
->
-> -
-> -
-> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
-> To Unsubscribe visit
-> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/c
f_talk or send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Olive, Christopher M Mr NMR 

it is an MS issue.  MS has a hotfix out on it, and Allaire has just included
this issue in their latest security bulletin.

Chris Olive,
DOEHRS Website Administrator 

-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-03 Thread David E. Crawford 

This is a multi-part message in MIME format.

--=_NextPart_000_03F1_01BFFD76.AD870AE0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Allaire security problem - anyone know solution?The easiest solution is =
to remove the IIS mapping to .HTR from the system, which will result in =
a simple 404 error when called as shown below.

DC

  - Original Message -=20
  From: Dave Wilson=20
  To: [EMAIL PROTECTED]=20
  Sent: Thursday, August 03, 2000 16:26
  Subject: Allaire security problem - anyone know solution?


  Hi all,=20

  One of my hosting clients has just made me aware of this major =
security=20
  problem and I'm wondering if anyone knows how to eliminate it?=20

  Try calling the application.cfm template on any CF site with +.htr =
appended=20
  to the end of the url. You'll first see a blank page. Now hit =
refresh/reload=20
  and you'll see the full code of said application.cfm=20

  e.g. http://www.support.alllaire.com/application.cfm+.htr=20

  Can someone please tell me there is a patch for this. It seems to =
happen on=20
  all CFserver versions 4.x + running IS4.0 with Service pack 5=20

  Dave=20

  Dave Wilson=20
  Internet Technology Manager,=20
  BizNet Solutions=20

  =20
  Co-Founder CFUG Ireland=20
  http://www.cfug.ie=20

  224, Lisburn Road=20
  Belfast BT9 6GE=20

  Tel: 02890 225 776=20
  Fax: 02890 223 223=20
  web: http://www.biznet-solutions.com=20

  email: [EMAIL PROTECTED]=20

  =
-=
-=20
  Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/=20
  To Unsubscribe visit =
http://www.houseoffusion.com/index.cfm?sidebar=3Dlists&body=3Dlists/cf_ta=
lk or send a message to [EMAIL PROTECTED] with =
'unsubscribe' in the body.


--=_NextPart_000_03F1_01BFFD76.AD870AE0
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable


Allaire security problem - anyone know =
solution?





The easiest solution is to remove the =
IIS mapping=20
to .HTR from the system, which will result in a simple 404 error when =
called as=20
shown below.
 
DC
 

  - Original Message - 
  From:=20
  mailto:[EMAIL PROTECTED]"=20
  [EMAIL PROTECTED]>Dave Wilson 
  To: mailto:[EMAIL PROTECTED]"=20
  [EMAIL PROTECTED]>[EMAIL PROTECTED] 
  Sent: Thursday, August 03, 2000 =

  16:26
  Subject: Allaire security =
problem -=20
  anyone know solution?
  
  Hi all, 
  One of my hosting clients has just made me aware of =
this major=20
  security problem and I'm wondering if anyone =
knows how=20
  to eliminate it? 
  Try calling the application.cfm template on any CF =
site with=20
  +.htr appended to the end of the url. You'll =
first see=20
  a blank page. Now hit refresh/reload and =
you'll see=20
  the full code of said application.cfm 
  e.g. http://www.support.alllaire.com/application.cfm+.htr"=20
  =
target=3D_blank>http://www.support.alllaire.com/application.cfm+.htr<=
/FONT>=20
  
  Can someone please tell me there is a patch for =
this. It seems=20
  to happen on all CFserver versions 4.x + =
running IS4.0=20
  with Service pack 5 
  Dave 
  Dave Wilson Internet =
Technology=20
  Manager, BizNet Solutions 
   Co-Founder CFUG Ireland http://www.cfug.ie" =
target=3D_blank>http://www.cfug.ie 
  224, Lisburn Road Belfast =
BT9=20
  6GE 
  Tel: 02890 225 776 Fax: =
02890 223=20
  223 web: http://www.biznet-solutions.com"=20
  target=3D_blank>http://www.biznet-solutions.com 
  email: [EMAIL PROTECTED] 
  =
--=20
  Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/"=20
  =
target=3D_blank>http://www.mail-archive.com/cf-talk@houseoffusion.com/=20
  To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=3Dlists&body=3D=
lists/cf_talk"=20
  =
target=3D_blank>http://www.houseoffusion.com/index.cfm?sidebar=3Dlists&am=
p;body=3Dlists/cf_talk=20
  or send a message to [EMAIL PROTECTED] with =
'unsubscribe' in=20
  the body.

--=_NextPart_000_03F1_01BFFD76.AD870AE0--

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-03 Thread David E. Crawford 

This is a multi-part message in MIME format.

--=_NextPart_000_03E8_01BFFD75.946E22B0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Allaire security problem - anyone know solution?This is an IIS problem, =
not a CF problem.  Check out http://www.allaire.com/security for links =
to patches and other information about this and other problems.

DC

  - Original Message -=20
  From: Dave Wilson=20
  To: [EMAIL PROTECTED]=20
  Sent: Thursday, August 03, 2000 16:26
  Subject: Allaire security problem - anyone know solution?


  Hi all,=20

  One of my hosting clients has just made me aware of this major =
security=20
  problem and I'm wondering if anyone knows how to eliminate it?=20

  Try calling the application.cfm template on any CF site with +.htr =
appended=20
  to the end of the url. You'll first see a blank page. Now hit =
refresh/reload=20
  and you'll see the full code of said application.cfm=20

  e.g. http://www.support.alllaire.com/application.cfm+.htr=20

  Can someone please tell me there is a patch for this. It seems to =
happen on=20
  all CFserver versions 4.x + running IS4.0 with Service pack 5=20

  Dave=20

  Dave Wilson=20
  Internet Technology Manager,=20
  BizNet Solutions=20

  =20
  Co-Founder CFUG Ireland=20
  http://www.cfug.ie=20

  224, Lisburn Road=20
  Belfast BT9 6GE=20

  Tel: 02890 225 776=20
  Fax: 02890 223 223=20
  web: http://www.biznet-solutions.com=20

  email: [EMAIL PROTECTED]=20

  =
-=
-=20
  Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/=20
  To Unsubscribe visit =
http://www.houseoffusion.com/index.cfm?sidebar=3Dlists&body=3Dlists/cf_ta=
lk or send a message to [EMAIL PROTECTED] with =
'unsubscribe' in the body.


--=_NextPart_000_03E8_01BFFD75.946E22B0
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable


Allaire security problem - anyone know =
solution?





This is an IIS problem, not a CF =
problem. =20
Check out http://www.allaire.com/security">http://www.allaire.com/security<=
/A> for=20
links to patches and other information about this and other=20
problems.
 
DC
 

  - Original Message - 
  From:=20
  mailto:[EMAIL PROTECTED]"=20
  [EMAIL PROTECTED]>Dave Wilson 
  To: mailto:[EMAIL PROTECTED]"=20
  [EMAIL PROTECTED]>[EMAIL PROTECTED] 
  Sent: Thursday, August 03, 2000 =

  16:26
  Subject: Allaire security =
problem -=20
  anyone know solution?
  
  Hi all, 
  One of my hosting clients has just made me aware of =
this major=20
  security problem and I'm wondering if anyone =
knows how=20
  to eliminate it? 
  Try calling the application.cfm template on any CF =
site with=20
  +.htr appended to the end of the url. You'll =
first see=20
  a blank page. Now hit refresh/reload and =
you'll see=20
  the full code of said application.cfm 
  e.g. http://www.support.alllaire.com/application.cfm+.htr"=20
  =
target=3D_blank>http://www.support.alllaire.com/application.cfm+.htr<=
/FONT>=20
  
  Can someone please tell me there is a patch for =
this. It seems=20
  to happen on all CFserver versions 4.x + =
running IS4.0=20
  with Service pack 5 
  Dave 
  Dave Wilson Internet =
Technology=20
  Manager, BizNet Solutions 
   Co-Founder CFUG Ireland http://www.cfug.ie" =
target=3D_blank>http://www.cfug.ie 
  224, Lisburn Road Belfast =
BT9=20
  6GE 
  Tel: 02890 225 776 Fax: =
02890 223=20
  223 web: http://www.biznet-solutions.com"=20
  target=3D_blank>http://www.biznet-solutions.com 
  email: [EMAIL PROTECTED] 
  =
--=20
  Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/"=20
  =
target=3D_blank>http://www.mail-archive.com/cf-talk@houseoffusion.com/=20
  To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=3Dlists&body=3D=
lists/cf_talk"=20
  =
target=3D_blank>http://www.houseoffusion.com/index.cfm?sidebar=3Dlists&am=
p;body=3Dlists/cf_talk=20
  or send a message to [EMAIL PROTECTED] with =
'unsubscribe' in=20
  the body.

--=_NextPart_000_03E8_01BFFD75.946E22B0--

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Dan Haley 

Wow, that's ugly.  You don't even need to do the refresh, just view the
source of the page and it is right there.  It only seems to work if you know
the directory where application.cfm exists.  If you are operating with a
single application.cfm you can move it up one directory, outside of the web
root, and it doesn't work.  It also doesn't appear to work with other .cfm
files.


Don't use application.cfm - use app_globals.cfm.  :)


Dan

-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 9:27 AM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-03 Thread Daniel J. Cody 

Dave, I wasn't able to reproduce this on CF 4.5.1 on Linux+Apache. I
think this might be more of an IIS issue than a CF one. Check out
http://www.securityfocus.com/focus/microsoft/iis/iismain.html for more
info on .htr issues.

.djc.

Dave Wilson wrote:
> 
> Hi all,
> 
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
> 
> Try calling the application.cfm template on any CF site with +.htr appended
> to the end of the url. You'll first see a blank page. Now hit refresh/reload
> and you'll see the full code of said application.cfm
> 
> e.g. http://www.support.alllaire.com/application.cfm+.htr
> 
> Can someone please tell me there is a patch for this. It seems to happen on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Carlos Vazquez 

My collegue and I here tried this on our server too and ran into the same
problem.
So we went into iis and right clicked on our domain name.
Clicked on "properties".
Clicked on the "Home Directory" tab
Clicked on the "Configuration" button.
Selected ".htr" and clicked "Remove"
Restarted IIS for that domain and this solved the problem.


__
Carlos Vazquez
Web Administrator
www.locateadoc.com
www.mojointeractive.com

> -Original Message-
> From: Dave Wilson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 03, 2000 12:27 PM
> To: [EMAIL PROTECTED]
> Subject: Allaire security problem - anyone know solution?
>
>
> Hi all,
>
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF site with
> +.htr appended
> to the end of the url. You'll first see a blank page. Now hit
> refresh/reload
> and you'll see the full code of said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
>
> Can someone please tell me there is a patch for this. It seems to
> happen on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
>
> Dave
>
> Dave Wilson
> Internet Technology Manager,
> BizNet Solutions
>
> 
> Co-Founder CFUG Ireland
> http://www.cfug.ie
>
> 224, Lisburn Road
> Belfast BT9 6GE
>
> Tel: 02890 225 776
> Fax: 02890 223 223
> web: http://www.biznet-solutions.com
>
> email: [EMAIL PROTECTED]
>
> --
> 
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Dave Watts 

> One of my hosting clients has just made me aware of this
> major security problem and I'm wondering if anyone knows
> how to eliminate it?
>
> Try calling the application.cfm template on any CF site with
> +.htr appended to the end of the url. You'll first see a blank
> page. Now hit refresh/reload and you'll see the full code of
> said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
>
> Can someone please tell me there is a patch for this. It
> seems to happen on all CFserver versions 4.x + running IS4.0
> with Service pack 5

This isn't a CF problem, really. I don't know if there's a patch, per se,
but there are two easy solutions.

1. Remove the .htr extension from the list of supported ISAPI extensions in
IIS. You can do this for all sites, or for each virtual server. You should
remove all extensions that you're not going to use; there are about ten or
so, generally, for ASP and other things. You should do this as a matter of
course when setting up IIS as a production server. Once you do this, someone
putting this extension at the end of a URL will get a 404 error message from
IIS.

2. Remove the right to read files from whatever user the CF server is
running as (typically SYSTEM). All CF needs to be able to do is execute.
This is a general thing that you can do to tighten up script engines in
general. With IIS, you'll also want to prevent the IIS anonymous user from
reading the contents of the files. With NT 4 SP 5, you can do this by
setting the IIS anonymous user so that it has "read permissions", "read
attributes" and "execute file" permission, but not the rights to read the
contents of the file.

Again, both of these are things that you should already be doing on NT
production web servers! If you do these things, you won't have to worry
about the vast majority of IIS "exploits".

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: Allaire security problem - anyone know solution?

2000-08-03 Thread Adam Breaux 

Remove .htr mappings from your web servers unless you need that
functionality. It's a know IIS hole.

- Original Message -
From: "Dave Wilson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 03, 2000 12:26 PM
Subject: Allaire security problem - anyone know solution?


> Hi all,
>
> One of my hosting clients has just made me aware of this major security
> problem and I'm wondering if anyone knows how to eliminate it?
>
> Try calling the application.cfm template on any CF site with +.htr
appended
> to the end of the url. You'll first see a blank page. Now hit
refresh/reload
> and you'll see the full code of said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
>
> Can someone please tell me there is a patch for this. It seems to happen
on
> all CFserver versions 4.x + running IS4.0 with Service pack 5
>
> Dave
>
> Dave Wilson
> Internet Technology Manager,
> BizNet Solutions
>
> 
> Co-Founder CFUG Ireland
> http://www.cfug.ie
>
> 224, Lisburn Road
> Belfast BT9 6GE
>
> Tel: 02890 225 776
> Fax: 02890 223 223
> web: http://www.biznet-solutions.com
>
> email: [EMAIL PROTECTED]
>
> --

> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
>

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Kevin Queen 



-Original Message-
From: Kevin Queen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 1:22 PM
To: Dave Wilson [[EMAIL PROTECTED]]
Subject: RE: Allaire security problem - anyone know solution?


Dave,

I have seen this same error in ASP with ::$DATA, the way to fix that one is
to associate the extension .asp::$DATA with the asp.dll, so it would follow
that if you associate the .cfm+.htr extension w/ the cfml parser.  I am not
to sure how what the CF parser .exe and/or .dll is however. (The error is on
ANY CFM page)

-Kevin

P.S. - I have been getting errors posting to the list lately, if you would
please post this to the list when you receive.


-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: Allaire security problem - anyone know solution?

2000-08-03 Thread Jesse Noller 

Dave:

Please see:

http://www.allaire.com/handlers/index.cfm?ID=15920&Method=Full

-Jesse Noller

-Original Message-
From: Dave Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 12:27 PM
To: [EMAIL PROTECTED]
Subject: Allaire security problem - anyone know solution?


Hi all,

One of my hosting clients has just made me aware of this major security
problem and I'm wondering if anyone knows how to eliminate it?

Try calling the application.cfm template on any CF site with +.htr appended
to the end of the url. You'll first see a blank page. Now hit refresh/reload
and you'll see the full code of said application.cfm

e.g. http://www.support.alllaire.com/application.cfm+.htr

Can someone please tell me there is a patch for this. It seems to happen on
all CFserver versions 4.x + running IS4.0 with Service pack 5

Dave

Dave Wilson
Internet Technology Manager,
BizNet Solutions


Co-Founder CFUG Ireland
http://www.cfug.ie

224, Lisburn Road
Belfast BT9 6GE

Tel: 02890 225 776
Fax: 02890 223 223
web: http://www.biznet-solutions.com

email: [EMAIL PROTECTED]


--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
--
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.