TUCoPS :: Web :: General :: web5287.htm

Coldfusion path disclosure
19th Apr 2002 [SBWID-5287]
COMMAND

	Coldfusion path disclosure

SYSTEMS AFFECTED

	 Coldfusion 5.0 on Windows 2000 w. IIS5

	 ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 

PROBLEM

	In  KPMG  security  advisory  KPMG-2002013  [http://www.kpmg.dk],  Peter
	Gründl says :
	

	 Problem

	 =======

	

	Requests for certain DOS-devices are parsed by  the  isapi  filter  that
	handles .cfm and .dbm  and  result  in  error  messages  containing  the
	physical path to the web root.
	

	 Details

	 =======

	

	Requests for non-existant  .cfm  and  .dbm  files  return  a  coldfusion
	\"Object Not Found\" error message similar to this:
	

	

	\"Error Occurred While Processing Request

	 Error Diagnostic Information

	 An error has occurred.

	

	 HTTP/1.0 404 Object Not Found\"

	

	

	

	Requesting a DOS-device, such as nul.dbm or nul.cfm returns:
	

	

	\"Error Occurred While Processing Request

	 Error Diagnostic Information

	 Cannot open CFML file

	

	

	 The requested file \"C:\\data\\nul.dbm\" cannot be found.

	

	 The specific sequence of files included or processed is:

	 C:\\data\\nul.dbm

	

	

	 Date/Time: 04/18/02 11:32:16

	 Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)

	 Remote Address: xxx.xxx.xxx.xxx\"

	

	

	A similar result can be achieved with this request:
	

	

	/nul..dbm

	

	

	which returns:
	

	

	\"Error Occurred While Processing Request

	 Error Diagnostic Information

	 The template specification, \'C:\\data\\nul..dbm\', is illegal.

	

	 Template specifications cannot include \'..\' nor begin with a backslash

	(\'\\\\\').\"

	

SOLUTION

	 Corrective action

	 =================

	

	The vendor suggests turning on \"Check that file exists\":
	

	Windows 2000:
	

	1. Open the Management console

	2. Click on \"Internet Information Services\"

	3. Right-click on the website and select \"Properties\"

	

	

	 Update by Christopher Ess

	 =========================

	

	Work around for IIS 4.0 appears to be identical to for IIS 5.0.  I cannot

	determine any sort of fix for IIS 3.0.

	

	The one drawback of the work around is that if you go to any .cfm or .dbm

	file that does not exist, you get a standard 404 error from the webserver

	rather than the considerably prettier (not that that says much) 404

	message that ColdFusion returns.

	

	4. Select \"Home Directory\"

	5. Click on \"Configuration\"

	6. Select \".cfm\"

	7. Click on \"Edit\"

	8. Make sure \"Check that file exists\" is checked

	9. Do the same for \".dbm\"

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH