> > The CFM file is always executed within the context of
> > the CF server, no matter what. Of course, you should
> > limit the privileges of the account in which CF runs
> > to the extent possible.
> >
> Which normally is the Localsystem account, which will
> grant CFMX all access. Running CFM
>
>
>>Does anyone know how this exploit is exploited?
>>
>>
>
>No, and I can't replicate it with my current configuration - web server
>authentication seems to work fine for me. As I posted in another message, I
>suspect it has to do with the JRun connector configuration; I'm using the
>ISAPI
Jochem van Dieten wrote:
>[EMAIL PROTECTED] wrote:
>
>
>>Well, for an administrative tools directory, off the root of a site. If the
>>ACL's deny access to the IUSR account, any unauthenticated user is prompted
>>to enter their username/password to access the cfm files within that
>>directory
Dave Watts wrote:
>> It is my understanding that unless you switch on "Check
>> that file exists" nobody is asked for their u/p.
>
> This is not necessarily the case. I've been successfully using web server
> authentication (both Basic and Windows Authentication) with IIS 5 and CFMX.
>
> I suspe
> Yikes - that would mean we would have to recode basically
> every app we have ever made that has and web accessible
> admin directory. Do you think it would be safe to use a
> cold fusion scripted login routine instead of ACL's and
> WIndows Authentication.
Why couldn't you just enable the "
> It is my understanding that unless you switch on "Check
> that file exists" nobody is asked for their u/p.
This is not necessarily the case. I've been successfully using web server
authentication (both Basic and Windows Authentication) with IIS 5 and CFMX.
I suspect that it has to do with the
I don't see that happening. I am still prompted for a u/p. Maybe because
the server does not have Updater 2 installed. I'll doublecheck - thanks.
brook
At 01:12 AM 2/3/2003 +0100, you wrote:
>[EMAIL PROTECTED] wrote:
> > Well, for an administrative tools directory, off the root of a site. If
>
[EMAIL PROTECTED] wrote:
> Well, for an administrative tools directory, off the root of a site. If the
> ACL's deny access to the IUSR account, any unauthenticated user is prompted
> to enter their username/password to access the cfm files within that
> directory (or if the files them self have
Well, for an administrative tools directory, off the root of a site. If the
ACL's deny access to the IUSR account, any unauthenticated user is prompted
to enter their username/password to access the cfm files within that
directory (or if the files them self have these ACL's).
Is that enough sec
[EMAIL PROTECTED] wrote:
> If the ACL's rules still apply, are they enough to use to restrict access?
Could you elaborate? What do you want to do?
Jochem
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Sub
If the ACL's rules still apply, are they enough to use to restrict access?
At 10:42 PM 2/2/2003 +0100, you wrote:
>[EMAIL PROTECTED] wrote:
> > Yikes - that would mean we would have to recode basically every app we
> have
> > ever made that has and web accessible admin directory. Do you think it
[EMAIL PROTECTED] wrote:
> Yikes - that would mean we would have to recode basically every app we have
> ever made that has and web accessible admin directory. Do you think it
> would be safe to use a cold fusion scripted login routine instead of ACL's
> and WIndows Authentication.
If you can
Yikes - that would mean we would have to recode basically every app we have
ever made that has and web accessible admin directory. Do you think it
would be safe to use a cold fusion scripted login routine instead of ACL's
and WIndows Authentication.
I recall seeing recently that web based admi
> Is there any way to use the "check that file exists"
> setting in IIS while using SES URL's.
>
> Example: http:www.mysite.com/index.cfm/fuseaction/display/
No, I don't think so, since the file doesn't actually exist!
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-
Ok Thanks :) I guess my next question is:
Is there any way to use the "check that file exists" setting in IIS while
using SES URL's.
Example: http:www.mysite.com/index.cfm/fuseaction/display/
Brook
At 05:05 AM 2/2/03 +, you wrote:
>Forgot to include another link that may help you
>
>htt
Forgot to include another link that may help you
http://www.securitytracker.com/alerts/2003/Jan/1006023.html
Cheers
--- [EMAIL PROTECTED] wrote: > Hello Weekenders,
>
> I'm sure most of you got the MM Security bulletin
> the other day
> (http://www.macromedia.com/security). I am trying to
>
My understanding of this was that anybody could run
the CFM template regardless of their NTFS file
permissions, for that template.
Cheers
--- [EMAIL PROTECTED] wrote: > Hello Weekenders,
>
> I'm sure most of you got the MM Security bulletin
> the other day
> (http://www.macromedia.com/securit
Hello Weekenders,
I'm sure most of you got the MM Security bulletin the other day
(http://www.macromedia.com/security). I am trying to figure out what the
security breach is if the steps outlines in the Security Bulletin are not
taken. It doesn't describe what level of access an attacker could
18 matches
Mail list logo