At 09:14 AM 9/15/98 -0400, David LeBlanc wrote: >At 08:23 PM 9/14/98 -0500, Aleph One wrote: >>---------- Forwarded message ---------- >>Date: Mon, 14 Sep 1998 12:12:23 -0600 >>From: INFO2000 TECH <colbyat_private> >>To: NTBUGTRAQat_private >>Subject: ColdFusion File Upload Exploit >> >>The following message was posted to the Allaire's COLD FUSION forums: >> >>By default, on Windows NT installations, the CF function, GetTempDirectory >>returns C:\WINNT. > >Not quite true (from the API docs): > >The GetTempPath function gets the temporary file path as follows: > >1. The path specified by the TMP environment variable. >2. The path specified by the TEMP environment variable, if TMP is not >defined. >3. The current directory, if both TMP and TEMP are not defined. Although this is correct, apparently Cold Fusion does more than wrap the Win32 API in their internal API, so I'm in error - it works the way they said (which IMHO, seems not to be too smart - if you're going to hard code a default, %systemroot% isn't a good one). >>WORKAROUND: Currently, TEMP is correctly set to C:\TEMP as a User Environment >>Variable, but should also be set as a System Environment Variable. > >I agree with this. Oh - and as was just pointed out on NTBUGTRAQ, you have to restart any apps which you'd like to take advantage of any new environment variables. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:19 PDT