Bugtraq mailing list archives
Re: KPMG-2002013: Coldfusion Path Disclosure
From: "Mike Fetherston" <mike_fetherston () hotmail com>
Date: Fri, 19 Apr 2002 08:37:53 -0400
Hi, Just tested with CF 4.5 & 5.0 Enterprise on NT4 using Apache. It is not vulnerable. You receive a 403 - Forbidden when you try to access nul/con.cfm/dbm with no path disclosure. Sincerely, Mike Fetherston.
Problem: ======== Requests for certain DOS-devices are parsed by the isapi filter that handles .cfm and .dbm and result in error messages containing the physical path to the web root. Vulnerable: =========== - Coldfusion 5.0 on Windows 2000 w. IIS5 - Other versions were not tested.ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 also appear to be vulnerable. Work around for IIS 4.0 appears to be identical to for IIS 5.0. I cannot determine any sort of fix for IIS 3.0. The one drawback of the work around is that if you go to any .cfm or .dbm file that does not exist, you get a standard 404 error from the webserver rather than the considerably prettier (not that that says much) 404 message that ColdFusion returns. I'd like to thank Peter Grundl (sorry about the umlaut but I can't figure out how to do it in my email client) and KPMG for finding this out for us. Have a great day! (Or night!) Christopher Ess System Administrator / CDTT (Certified Duct Tape Technician)
Current thread:
- KPMG-2002013: Coldfusion Path Disclosure Peter Gründl (Apr 18)
- Re: KPMG-2002013: Coldfusion Path Disclosure Chris Ess (Apr 19)
- RE: KPMG-2002013: ColdFusion Path Disclosure Bejon Parsinia (Apr 19)
- Re: KPMG-2002013: Coldfusion Path Disclosure Mike Fetherston (Apr 20)
- <Possible follow-ups>
- Re: KPMG-2002013: Coldfusion Path Disclosure Tom Donovan (Apr 26)
- Re: KPMG-2002013: Coldfusion Path Disclosure Chris Ess (Apr 19)