View Complete Thread | FoxWeb Forum Home
Search:
Date:    Msg ID:   
From:    Thread:   
Subject:   
I'm using Foxweb 3.3 on a Windows 2003 Server (IIS 6.0).  Currently, if you specify a URL to a valid prg in the Foxweb directory like so:
 
http://MyServer/cgi-bin/foxweb.dll/WebAppName/FoxwebPrg.prg
 
It works just fine.  However, if you specify the same path but with a .bak ending like so:  

http://MyServer/cgi-bin/foxweb.dll/WebAppName/FoxwebPrg.bak

 you get the same results even though no such .bak file exists anywhere on that machine. 

As a matter of fact, you can do navigate here: 

http://MyServer/cgi-bin/foxweb.dll/WebAppName/FoxwebPrg.333 

And you still get results.  How can we prohibit this type of behavior?  .bak files show up as vulnerabilities in Security Scans on web applications and its preventing a successful test run .