[25286] in bugtraq
Re: KPMG-2002013: Coldfusion Path Disclosure
daemon@ATHENA.MIT.EDU (Tom Donovan)
Fri Apr 26 18:17:42 2002
Date: 26 Apr 2002 21:09:20 -0000
Message-ID: <20020426210920.27284.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Tom Donovan <tdonovan@macromedia.com>
To: bugtraq@securityfocus.com
In-Reply-To: <000701c1e6d0$cc7350e0$1f00a8c0@KPMGIRMPGRUNDL>
Usually, the preferred solution will be to use a Site-wide
Error Handler.
ColdFusion provides for a "Site-wide Error Handler"
template. This is located at the bottom of the "Settings"
page in the ColdFusion Administrator. This allows the
application developer to control exactly what is displayed
when ColdFusion encounters an error.
This is recommended practice for production ColdFusion
sites, and applies to all unhandled errors, not just those
caused by reserved DOS filenames such as NUL and PRN.
If, for some reason, a Site-wide Error Handler is not
desired - the workaround, as described by Mr. Gründl, can
be used to prevent DOS reserved filenames from being
specified as ColdFusion templates.
If this method is chosen, then all requests for non-
existent templates (i.e. HTTP 404's) will display the IIS
response rather than the standard ColdFusion response,
since IIS will check for the file's existence before
requesting that the ColdFusion ISAPI Extension process the
file.
Tom Donovan
Macromedia ColdFusion
