I have a very strange security problem that only happens on MX--I've tested it on 4.5 and 5.0 and it works fine. Here's the problem:
- Create a new directory under the web root
- Create a new file named security_test.cfm
- Change permissions on that file so only Administrators group has full control
- Copy that file and name it security_test.txt
- Make sure the permissions are the same as the .cfm file
- Create a new user names "testuser" who is a member of only the Users group
When I web browse to it prompts me; I login as testuser; and I see the page (THIS IS BAD!).
When I web browse to it prompts me; I try to login as testuser; and it CORRECTLY doesn't authenticate me and doesn't allow me to see the page.
What is going on?
Here is my configuration:
- I am running Windows 2000 Server SP3; IIS; IE 5 SP2 as the client
ISS is configured with Allow Anonymous off; Basic On; and Integrated Windows Authentication off.
Like I said, this same test works fine in CF 4.5 and 5.0. What changes in MX that could cause this? My guess is something is different about how IIS and the CF serevr interact. It's almost as if the process handling the .cfm file is running as administrator or someone who has access to that file even though the "CGI process" is logged in as testuser.
Any thoughts? This is a huge problem for our applications, and it is causing us NOT to be able to endorse MX for our 90+ customers. But we need to be able to work on MX.
Any help is greatly appreciated.
Thanks.
- Create a new directory under the web root
- Create a new file named security_test.cfm
- Change permissions on that file so only Administrators group has full control
- Copy that file and name it security_test.txt
- Make sure the permissions are the same as the .cfm file
- Create a new user names "testuser" who is a member of only the Users group
When I web browse to it prompts me; I login as testuser; and I see the page (THIS IS BAD!).
When I web browse to it prompts me; I try to login as testuser; and it CORRECTLY doesn't authenticate me and doesn't allow me to see the page.
What is going on?
Here is my configuration:
- I am running Windows 2000 Server SP3; IIS; IE 5 SP2 as the client
ISS is configured with Allow Anonymous off; Basic On; and Integrated Windows Authentication off.
Like I said, this same test works fine in CF 4.5 and 5.0. What changes in MX that could cause this? My guess is something is different about how IIS and the CF serevr interact. It's almost as if the process handling the .cfm file is running as administrator or someone who has access to that file even though the "CGI process" is logged in as testuser.
Any thoughts? This is a huge problem for our applications, and it is causing us NOT to be able to endorse MX for our 90+ customers. But we need to be able to work on MX.
Any help is greatly appreciated.
Thanks.