Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Plugging a CF and IIS Security Hole

Status
Not open for further replies.
DarkMan

DarkMan

Programmer
Apr 13, 1998
222
US
Thanks to member Nero for this tip:

There is a hole in IIS that will allow people to see your ColdFusion source code by typing in a url like:
[ignore]
[/ignore]
If you're running CF, try it. You may be alarmed at what you see....

Anyways, there is a hotfix for this at:

[sig]<p>Doug Trocino<br><a href=mailto:dtrocino@tecumsehgroup.com>dtrocino@tecumsehgroup.com</a><br><a href= Forums</a><br>Technical Director<br>
Tecumseh Group, Inc.<br>
Sponsors of Tek-Tips Forums<br>
[/sig]
 
Oh shoot... ;-(

That doesnt really give the exact code here but that really give too much...

I'll have to tell my server admin to fix this...

Thx a lot for the information,
Chris [sig][/sig]
 
If you type in the url to your .cfm page and you see a bunch of garble, plus your CF variable names and such, you need to download the HotFix. If you try it and get an error message saying &quot;Page Cannot Be Displayed&quot;, the HotFix is already in place...;-)

Good Luck,
Doug [sig]<p>Doug Trocino<br><a href=mailto:dtrocino@tecumsehgroup.com>dtrocino@tecumsehgroup.com</a><br><a href= Forums</a><br>Technical Director<br>
Tecumseh Group, Inc.<br>
Sponsors of Tek-Tips Forums<br>
[/sig]
 
This reminds me of some basic security tips:

[ul][li]If you dont need it, remove it - ie if you have no ASP-scripts on your server then remove the corresponding application mappings, likewise for the htr-mapping[/li]

[li]Encrypt your CF-Templates. In \CFUSION\BIN is the cfencode.exe-utility. Using it an intruder will only see some garbage - never your source code[/li][/ul]

..my 2c

Thomas Klaeger
tkl@telenet.ch [sig][/sig]
 
If you use the cfencode.exe utility can you still edit that code or do you have to work from an orginal copy? [sig][/sig]
 
Status
Not open for further replies.

Similar threads

sirnose1
  • Locked
  • Question
CFIF for CFmail
Replies
0
Views
669
sirnose1
sirnose1
RBGraphics
  • Locked
  • Question
Adobe Portfolio
Replies
0
Views
594
RBGraphics
RBGraphics
RosieGp
  • Locked
  • Question
How to read string of 0s and 1s 1
Replies
3
Views
724
LyndonOHRC
LyndonOHRC
cfhelp
  • Locked
  • Question
Coldfusion 2016 - Cant find CFX_tags
Replies
0
Views
521
cfhelp
cfhelp
MDEJAKE
  • Locked
  • Question
autosuggest (cfc and jquery) help
Replies
0
Views
278
MDEJAKE
MDEJAKE

Part and Inventory Search

Sponsor

Back
Top