Re: ColdFusion File Upload Exploit (fwd) - correction

[dleblanc () MINDSPRING COM (David LeBlanc)]

At 09:14 AM 9/15/98 -0400, David LeBlanc wrote:
> At 08:23 PM 9/14/98 -0500, Aleph One wrote:
> > ---------- Forwarded message ----------
> > Date: Mon, 14 Sep 1998 12:12:23 -0600
> > From: INFO2000 TECH <colby () INFO2000 NET>
> > To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
> > Subject: ColdFusion File Upload Exploit
> >
> > The following message was posted to the Allaire's COLD FUSION forums:
> >
> > By default, on Windows NT installations, the CF function, GetTempDirectory
> > returns C:\WINNT.
>
> Not quite true (from the API docs):
>
> The GetTempPath function gets the temporary file path as follows:
>
> 1. The path specified by the TMP environment variable.
> 2. The path specified by the TEMP environment variable, if TMP is not
> defined.
> 3. The current directory, if both TMP and TEMP are not defined.

Although this is correct, apparently Cold Fusion does more than wrap the
Win32 API in their internal API, so I'm in error - it works the way they
said (which IMHO, seems not to be too smart - if you're going to hard code
a default, %systemroot% isn't a good one).

> > WORKAROUND: Currently, TEMP is correctly set to C:\TEMP as a User
Environment
> > Variable, but should also be set as a System Environment Variable.
>
> I agree with this.

Oh - and as was just pointed out on NTBUGTRAQ, you have to restart any apps
which you'd like to take advantage of any new environment variables.


David LeBlanc
dleblanc () mindspring com