[25178] in bugtraq
Re: KPMG-2002013: Coldfusion Path Disclosure
daemon@ATHENA.MIT.EDU (Mike Fetherston)
Fri Apr 19 17:13:07 2002
From: "Mike Fetherston" <mike_fetherston@hotmail.com>
To: "Chris Ess" <azarin@tokimi.net>,
=?iso-8859-1?Q?Peter_Gr=FCndl?= <pgrundl@kpmg.dk>
Cc: "bugtraq" <bugtraq@securityfocus.com>
Date: Fri, 19 Apr 2002 08:37:53 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <DAV73q8amVLd6YMdMss00008cb6@hotmail.com>
Hi,
Just tested with CF 4.5 & 5.0 Enterprise on NT4 using Apache. It is not
vulnerable. You receive a 403 - Forbidden when you try to access
nul/con.cfm/dbm with no path disclosure.
Sincerely,
Mike Fetherston.
> > Problem:
> > ========
> > Requests for certain DOS-devices are parsed by the isapi filter that
> > handles .cfm and .dbm and result in error messages containing the
> > physical path to the web root.
> >
> >
> > Vulnerable:
> > ===========
> > - Coldfusion 5.0 on Windows 2000 w. IIS5
> > - Other versions were not tested.
>
> ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 also appear
> to be vulnerable.
>
> Work around for IIS 4.0 appears to be identical to for IIS 5.0. I cannot
> determine any sort of fix for IIS 3.0.
>
> The one drawback of the work around is that if you go to any .cfm or .dbm
> file that does not exist, you get a standard 404 error from the webserver
> rather than the considerably prettier (not that that says much) 404
> message that ColdFusion returns.
>
> I'd like to thank Peter Grundl (sorry about the umlaut but I can't figure
> out how to do it in my email client) and KPMG for finding this out for us.
>
> Have a great day! (Or night!)
>
>
> Christopher Ess
> System Administrator / CDTT (Certified Duct Tape Technician)
>
>
>
