Re: KPMG-2002013: Coldfusion Path Disclosure

["Mike Fetherston" <mike_fetherston () hotmail com>]

Hi,

Just tested with CF 4.5 & 5.0 Enterprise on NT4 using Apache.  It is not
vulnerable.  You receive a 403 - Forbidden when you try to access
nul/con.cfm/dbm with no path disclosure.

Sincerely,

Mike Fetherston.

> > Problem:
> > ========
> > Requests for certain DOS-devices are parsed by the isapi filter that
> > handles .cfm and .dbm and result in error messages containing the
> > physical path to the web root.
> >
> >
> > Vulnerable:
> > ===========
> > - Coldfusion 5.0 on Windows 2000 w. IIS5
> > - Other versions were not tested.
>
> ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 also appear
> to be vulnerable.
>
> Work around for IIS 4.0 appears to be identical to for IIS 5.0.  I cannot
> determine any sort of fix for IIS 3.0.
>
> The one drawback of the work around is that if you go to any .cfm or .dbm
> file that does not exist, you get a standard 404 error from the webserver
> rather than the considerably prettier (not that that says much) 404
> message that ColdFusion returns.
>
> I'd like to thank Peter Grundl (sorry about the umlaut but I can't figure
> out how to do it in my email client) and KPMG for finding this out for us.
>
> Have a great day!  (Or night!)
>
>
> Christopher Ess
> System Administrator / CDTT (Certified Duct Tape Technician)