The other big source visibility bug was ::$DATA
Like so: http://www.site.com/index.cfm::$DATA
But that one's a lot older. Chances are you've got the .htr bug. If you're not using .htr files (does anybody actually use them?), it's easy enough to disable.
Go into your MMC, properties for the site (or for the whole WWW service if you like) Go to the Home Directory tab Click on the Configuration button In the dialog that pops up, you'll see all the file extensions that your server is sending to various processing DLL's. Take out .htr and anything else you're not using. You might also want to kill .printer given that recent mess...
I usually allow only .cfm, .dbm, .asp, and .asa to stay. Everything else goes. The more script mappings you have, the more chance one of them will be the next great buffer overflow mess...
And YES, this is definately something to be concerned about. Once when browsing the site of a certain utility company in my neck of the woods I found they suffered from the .htr bug (several months after it was announced!). Going to http://www.site.com/application.cfm+.htr displayed all of their login info for their SQL Server. Connect to TCP port 1433, login, boom... Full access to SQL records. And the user in question was 'sa', so it was really bad....
I took the liberty of informing them of the problem before anyone else demonstrated it for them....
Best regards, Zac Bedell
> -----Original Message----- > From: Hassan Khawaja [mailto:hassan_khawaja@yahoo.com] > Sent: Friday, May 04, 2001 12:52 PM > To: CF-Server > Subject: Re: viewing source code > > > I think it's the +.htr bug which allows people to see > the CF source code. > Try putting +.htr at the end of any .cfm page on your > site and viewing the source. > e.g. > http://www.site.com/index.cfm+.htr > > --- Priscilla Yamin <pyamin@valencia.cc.fl.us> wrote: > > This is a multi-part message in MIME format. > > > > ------=_NextPart_000_0058_01C0D3EA.088CB120 > > Content-Type: text/plain; > > charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > > > Someone sent me an email that said our IIS server > > has a well known bug > > that allows people to view the CF source code.=20 > > > > Is anyone familiar with this? And is this something > > to be concerned > > about? > > > > > > > > ------=_NextPart_000_0058_01C0D3EA.088CB120 > > Content-Type: text/html; > > charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 > > Transitional//EN"> > > <HTML><HEAD> > > <META http-equiv=3DContent-Type > > content=3D"text/html; > > charset=3Diso-8859-1"> > > <META content=3D"MSHTML 6.00.2462.0" > > name=3DGENERATOR> > > <STYLE></STYLE> > > </HEAD> > > <BODY bgColor=3D#ffffff> > > <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times > > New Roman" > > size=3D3>Someone sent me=20 > > an email that said our IIS server has a well known > > bug that allows > > people to=20 > > view the CF source code. <BR><BR>Is anyone familiar > > with this? And is > > this=20 > > something to be concerned > > about?</FONT><BR><BR></FONT></DIV></BODY></HTML>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to cf-server-request@houseoffusion.com with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
CF-Server
Zachary S. Bedell