Vulnerability

    ColdFusion

Affected

    Any ColdFusion Server running on Microsoft IIS (1.0, 2.0, 3.0 or 4.0)

Description

    Following is based  on Allaire Security  Bulletin.  Microsoft  IIS
    exposes the ability  to use an  NTFS attribute to  read the source
    code of  ASP, CFML,  Perl and  other files  that are  on a server.
    This is not a problem with ColdFusion Server itself, but it is  an
    issue  that  can  affect  ColdFusion  users  (see IIS #21 for more
    info).  This issue is clearly explained in the Microsoft Knowledge
    Base:

        "The native  Windows NT  file system,  NTFS, supports multiple
        data streams within a file.  The main data stream, that  which
        stores the main content,  is called DATA. Accessing  this NTFS
        attribute directly from a browser may display the script  code
        for the file."

    For example, accessing

            http://myserver/index.cfm::$DATA

    may  yield  the  contents  of  the  file itself, not the processed
    results of the file.

Solution

    This is not an Allaire product.  It is recommended that  customers
    reference  the  information  at  Microsoft's  site to address this
    issue (or see IIS #21).  There are several patches and workarounds
    available  to  correct  this  problem.  These  are detailed in the
    following Microsoft Knowledge base article (Q188806).

    Note:  The  Knowledge  Base  article  provides  instructions   for
    changing application mappings as one  of the solutions.  The  same
    instructions apply to ColdFusion with the following information:

        Executable Path %System32%\iscf.dll
        .cfm::$DATA
        .dbm::$DATA