[cvsnt] [OFF] CVSWEB in IIS

eric.laney at verizon.com eric.laney at verizon.com
Fri Oct 4 14:22:59 BST 2002 

        Actually, IIS does start ColdFusion.  ColdFusion installs as a 
server-side middleware package that uses the ISAPI interface in IIS to do 
the dynamic processing.  The changes you recommended for the browser will 
only affect how the user's PC interprets what ColdFusion and IIS send.

        To address the original question:  Assuming, Rangel, that you 
either (a) exclusively use IIS on this server for CVSWEB, or (b) have the 
CVSWEB portion of the web site set up in a virtual directory, you can turn 
ColdFusion off for CVSWEB through the IIS Administrator.  Right-click the 
virtual directory that stores the CVSWEB stuff (or the top-level web site 
if you use it exclusively for CVSWEB) and choose Properties.  Go to the 
Virtual Directory tab (or the Home Directory tab if you're setting it for 
the entire site) and click on the Configuration button.  The App Mappings 
tab lists all of the valid file extensions and the ISAPI driver that 
handles them.  To turn off ColdFusion, remove its extensions (.cfm, .cfc, 
.cfml, .dbd, etc.) from the list.

        Incidentally, my recommendation (for all web sites on IIS, not 
just CVSWEB) is to remove everything that you're not using to mitigate 
against security vulnerabilities.  Also, if you're using the ActiveState 
implementation of Perl, the default installation uses the Perl ISAPI .dll 
only for the extension .plx, not .pl.  You can change this behavior on 
this same dialog box by modifying the .pl extension to be the same as 
.plx, but this will cause any error messages to go to a log file in the 
Perl\bin directory instead of to the browser, so you have to keep an eye 
on that log file for production systems.
Eric A. Laney
Systems Architect
Verizon Security
Being natural is simply a pose.
Subject: Vedr.: [cvsnt] [OFF] CVSWEB in IIS
To: "Rangel Reale" <rangel-work at bol.com.br>, cvsnt at cvsnt.org
From: jml at nykredit.dk
Date: Thu, 3 Oct 2002 09:12:10 +0200


I it's not IIS that starts ColdFusion, but the browser on your workstat=
ion.
If your browser can handle the file type (e.g. .txt, .html, etc.) it wi=
ll
do so, otherwise it will pass the file to the appropriate application.

Assuming you are running Windows/Internet Exploret, you can change your=

browsers behaviour  by adding a string value "Content Type" =3D "text/h=
tml"
in the registry.

Create a .reg file with this content:
------------------------------------
REGEDIT4

[HKEY_CLASSES_ROOT\.cfm]
"Content Type"=3D"text/html"
-----------------------------------

Duoble click the reg-file and your'e off.

Regards

J=F8rgen M=F8ller Larsen - Nykredit Data - Koncernmetode og Arkitektur =
(KMF-V)
- Telefon: +45 9635 5069 - email: jml at nykredit.dk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.cvsnt.org/pipermail/cvsnt/attachments/20021004/5ef3d614/attachment.htm

More information about the cvsnt mailing list