Bugtraq mailing list archives
Re: KPMG-2002013: Coldfusion Path Disclosure
From: Tom Donovan <tdonovan () macromedia com>
Date: 26 Apr 2002 21:09:20 -0000
In-Reply-To: <000701c1e6d0$cc7350e0$1f00a8c0@KPMGIRMPGRUNDL> Usually, the preferred solution will be to use a Site-wide Error Handler. ColdFusion provides for a "Site-wide Error Handler" template. This is located at the bottom of the "Settings" page in the ColdFusion Administrator. This allows the application developer to control exactly what is displayed when ColdFusion encounters an error. This is recommended practice for production ColdFusion sites, and applies to all unhandled errors, not just those caused by reserved DOS filenames such as NUL and PRN. If, for some reason, a Site-wide Error Handler is not desired - the workaround, as described by Mr. Gründl, can be used to prevent DOS reserved filenames from being specified as ColdFusion templates. If this method is chosen, then all requests for non- existent templates (i.e. HTTP 404's) will display the IIS response rather than the standard ColdFusion response, since IIS will check for the file's existence before requesting that the ColdFusion ISAPI Extension process the file. Tom Donovan Macromedia ColdFusion
Current thread:
- KPMG-2002013: Coldfusion Path Disclosure Peter Gründl (Apr 18)
- Re: KPMG-2002013: Coldfusion Path Disclosure Chris Ess (Apr 19)
- RE: KPMG-2002013: ColdFusion Path Disclosure Bejon Parsinia (Apr 19)
- Re: KPMG-2002013: Coldfusion Path Disclosure Mike Fetherston (Apr 20)
- <Possible follow-ups>
- Re: KPMG-2002013: Coldfusion Path Disclosure Tom Donovan (Apr 26)
- Re: KPMG-2002013: Coldfusion Path Disclosure Chris Ess (Apr 19)