Archive of:
 CF-Talk
Cold Fusion - Technical
home
24 hour view
quick stats
weekly updates
all tallylists
corporate solutions
archive your favorite
help / feedback
About Cold Fusion :
product's home
product's list home
|
|
Archived TallyList / CF-Talk:
Subject: Re: The +.htr bug strikes again
 Brendan Avery (25p/+2r) Posted: Thursday 11 Jan 2001
This post: 106 views, +0 rating
Hey thanks, Jon. I just checked it out -- what a great tool. I must write pilot and thank him as well.
!!!peace!!!
-brendan avery / ba@brendanavery.com
At 04:19 PM 1/11/2001 -0500, you wrote: >http://search.iland.co.kr/twwwscan/ > >If you are not sure about the security of your webserver, get this tool. Run >it and fix everything. > >jon >----- Original Message ----- >From: "Brendan Avery" <ba@brendanavery.com> >To: "CF-Talk" <cf-talk@houseoffusion.com> >Sent: Thursday, January 11, 2001 3:33 PM >Subject: RE: The +.htr bug strikes again > > > > we got hit with an /iisadmpwd/*.htr bug hack a couple of days ago on a > > low-security machine. > > > > "prime suspectz ownz you" hack page. > > > > but i got their ADSL ip number after emailing them with a web bug. > > > > eeediots. > > > > --brendan avery / ba@brendanavery.com > > > > At 03:14 PM 1/11/2001 -0500, you wrote: > > >How does one test to see if the problem has be fixed? > > > > > >Won > > > > > >-----Original Message----- > > >From: Zachary Bedell [mailto:Aramis@adirondack.net] > > >Sent: Thursday, December 21, 2000 10:47 PM > > >To: CF-Talk > > >Subject: RE: The +.htr bug strikes again > > > > > > Someone should probably make an official "checklist" to run through when you setup a CF server. > > > > > >How about these additions to said checklist: > > > > > >In addition to removing the .htr mapping, also remove the mappings for >any > > >other extensions that you won't be using on that server. > > > > > >Like: > > >htw -- unless you're using the WebHits highligher > > >ida, idq, htr, idc -- unless you're using old-style Index Server access > > >asp, cer, cdx, asa -- unless you're also hosting ASP apps on that server > > >shtm, shtml, stm -- unless you're using Server Side Include files > > >printer -- WTF is this and why did IIS install it for Win2k? > > > > > >You could probably also yank the dbm extension unless you have REALLY old >CF > > >code lying around. > > > > > >Basically your goal is to DISABLE any functionality of your server that > > >you're not currently using. The less junk you have running on the >server, > > >the less chance someone will find a bug in part of the server you didn't > > >even know was there. > > > > > >Granted, there's a fine and arcane art to disabling just the right things > > >without breaking any part of your server. You'd be best to play on a > > >production server that you can afford to trash & reinstall a few times if > > >need be. Certainly, though, deleting extensions for file types not used >in > > >your sites (or your customer's sites for webhosts) is completely safe and >a > > >good idea in general. > > > > > >Best regards, > > >Zac Bedell > > > > > >
Similar Subject Line Posts (+/- two weeks of this post)
| Send a reply to the CF-Talk list! |
 |
NOTE: Many lists will reject your post unless you have already registered with them. Also - don't forget the right account to send from (for those with multiple emails!) |
|
