Aside: ability to view ASP/ColdFusion code
Manar Hussain
manar at ivision.co.uk
Thu Jul 2 10:48:44 UTC 1998
This isn't really a NANOG issue so I'll keep it brief - I'm mentioning it
as it's something people here may well want to consider and pass on to
customers with NT servers.
Another MS security whole allows people to access the code for
ASP/ASA/ColdFusion pages by adding ::$data to the URL.
E.g.
http://www.allaire.com/handlers/index.cfm::$DATA
http://www.watford.co.uk/global.asa::$DATA
http://www.datareturn.com/av-asp.asp::$DATA
I understand that using SiteServer or making the file non-readable (but
retaining execute permissions!) "solves" the problem.
Regards,
Manar
More information about the NANOG
mailing list