Hi All,
I found this on cfdjlist and found it very worth of posting here since this
list
is getting more traffic than cfdjlist these days. I've tried this "test" on
several
of our more well known CF sites and many of them failed.
Good morning:
I wanted to pass this one along from the webappsec list. CF 4 and 4.5 also
appear to be vulnerable to this- the workaround is ok. I'm battening down
the hatches this morning.
Kudos to Peter Grundl for finding this and letting us know.
-Sean
----- Original Message -----
From: "Peter Gr�ndl" <[EMAIL PROTECTED]>
To: "bugtraq" <[EMAIL PROTECTED]>
Sent: Thursday, April 18, 2002 8:01 AM
Subject: KPMG-2002013: Coldfusion Path Disclosure
> --------------------------------------------------------------------
>
> Title: Coldfusion Path Disclosure
>
> BUG-ID: 2002013
> Released: 18th Apr 2002
> --------------------------------------------------------------------
>
> Problem:
> ========
> Requests for certain DOS-devices are parsed by the isapi filter that
> handles .cfm and .dbm and result in error messages containing the
> physical path to the web root.
>
>
> Vulnerable:
> ===========
> - Coldfusion 5.0 on Windows 2000 w. IIS5
> - Other versions were not tested.
>
>
> Details:
> ========
> Requests for non-existant .cfm and .dbm files return a coldfusion
> "Object Not Found" error message similar to this:
>
> "Error Occurred While Processing Request
> Error Diagnostic Information
> An error has occurred.
>
>
> HTTP/1.0 404 Object Not Found"
>
>
> Requesting a DOS-device, such as nul.dbm or nul.cfm returns:
>
> "Error Occurred While Processing Request
> Error Diagnostic Information
> Cannot open CFML file
>
>
> The requested file "C:\data\nul.dbm" cannot be found.
>
>
> The specific sequence of files included or processed is:
> C:\data\nul.dbm
>
>
> Date/Time: 04/18/02 11:32:16
> Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)
> Remote Address: xxx.xxx.xxx.xxx"
>
>
> A similar result can be achieved with this request:
>
> /nul..dbm
>
> which returns:
>
> "Error Occurred While Processing Request
> Error Diagnostic Information
> The template specification, 'C:\data\nul..dbm', is illegal.
>
> Template specifications cannot include '..' nor begin with a backslash
> ('\\')."
>
>
> Vendor URL:
> ===========
> You can visit the vendors webpage here: http://www.coldfusion.com
>
>
> Vendor response:
> ================
> The vendor was contacted on the 26th of November, 2001. The vendor
> suggested a workaround for the problem on the 8th of January, 2002.
> This advisory was delayed was due to a lapse of communication.
>
>
> Corrective action:
> ==================
> The vendor suggests turning on "Check that file exists":
>
> Windows 2000:
> 1. Open the Management console
> 2. Click on "Internet Information Services"
> 3. Right-click on the website and select "Properties"
> 4. Select "Home Directory"
> 5. Click on "Configuration"
> 6. Select ".cfm"
> 7. Click on "Edit"
> 8. Make sure "Check that file exists" is checked
> 9. Do the same for ".dbm"
>
>
> Author: Peter Gr�ndl ([EMAIL PROTECTED])
>
> --------------------------------------------------------------------
> KPMG is not responsible for the misuse of the information we provide
> through our security advisories. These advisories are a service to
> the professional security community. In no event shall KPMG be lia-
> ble for any consequences whatsoever arising out of or in connection
> with the use or spread of this information.
> --------------------------------------------------------------------
>
<!---
Jason Dowdell
[EMAIL PROTECTED]
321.799.6845
IM AES - Web Developer
--->
______________________________________________________________________
Signup for the Fusion Authority news alert and keep up with the latest news in
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
