Vulnerability

    Cold Fusion

Affected

    Systems with Cold Fusion

Description

    Marcel van Waaijen  found following.   If you make  a http-request
    to  an  (existing)   application.cfm  of  onrequestend.cfm   page,
    ColdFusion generates  an errormessage  that reveals  the real path
    to that page on the server.

Solution

    1. You can disable the  ability to request application.cfm.   This
       can be done in the IIS MMC.   The easiest way to do this is  to
       force  a  redirection   to  an  index   file.  Right-click   on
       application.cfm in the MMC, and set up redirection.

    2. You can use the site-wide missing file handler in CF 4.5.  This
       will  send  a  custom  error  page  which  needn't say anything
       important at all.  This is set in the CF Administrator.

    This has been reported as bug 14982.  It was reported on  February
    4th, and today, March  1st, 2000, it is  reported as fixed.   This
    means it will probably be rolled int 4.5.1 RC2.