Ok, I've had CF 4.0 (eval) for approx. 1 hour now, and here's over a half dozen more reasons to not use sample pages: http://server/cfdocs/exampleapp/docs/sourcewindow.cfm?Template= --shows you contents of any file you want http://server/cfdocs/snippets/evaluate.cfm --if the expression evaluator has local host only security, why is this one unprotected? If I knew more CF insides, maybe I could really abuse this. http://server/cfdocs/snippets/fileexists.cfm --can be used to verify the existance of any file on the same hard drive. Granted, it dissallows supplying a drive letter, or starting with \ or /. But the following works for me (since I'm on NT, and \inetput\wwwroot is on my boot drive): ..\..\..\..\boot.ini http://server/cfdocs/snippets/gettempdirectory.cfm --while this is not a security problem in itself, I was QUITE alarmed what the results were. Now, my NT installation is a completely generic NT install (all I did was practically hit the Next button where-ever possible): GetTempDirectory Example The temporary directory for this Cold Fusion server is C:\WINNT\. We have created a temporary file called: C:\WINNT\tes39.tmp Now why is my \winnt\ my temp directory?!? That means temp files have the possibility of screwing with my system files. Granted, this is probably just a variable/setting issue. But still alarming. http://server/cfdocs/snippets/setlocale.cfm --possibly abusable...it's another eval. http://server/cfdocs/snippets/viewexample.cfm?Tagname=..\..\ --allows you to view any .CFM files. It automatically adds the .cfm extension, so only CFM files are prey to this. http://server/cfdocs/cfmlsyntaxcheck.cfm --I set this to c:\, check *.*, recurse, and it spit out various lists of .exe's I had. Also caused the CF server process to spike and stay at 100% CPU utilization. Plus it made two ODBC DSNs for the samples. While this is not a threat at all, there are some drawbacks....(information regarding this will be released in the future after completion of research). Speaking of research, this is in no way thorough. Due to lack of resources (eval copy running on a p75), I'm only going to mess with the sample pages. If anyone wishes to donate materials for better research (Allaire?) I'm all ears. :) Cheers, .rain.forest.puppy.