Brian McCairn wrote:
> Just for the sake of argument, if you were crazy enough to leave FCKEditor enabled to allow image uploads, do you think the following would leave you secure?
>
> Change allowed file types in connectors/cfm config.cfm to:
>
> //Allowed Resource Types
> Config.ConfigAllowedTypes = "Image" ;
I would *also* make user the images are uploaded to a directory outside
of the webroot. That this directory is not configured to allow
execution of files. And double or triple check the file type of any
uploaded content before moving it any web accessible location.
Ya know, the best practices that have been espoused several times already.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324402Subscription:
http://www.houseoffusion.com/groups/cf-talk/subscribe.cfmUnsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4
