Hello Jason,
Monday, April 22, 2002, 3:55:33 PM, you wrote:
DJG> Hi All,
DJG> I found this on cfdjlist and found it very worth of posting here since this
DJG> list
DJG> is getting more traffic than cfdjlist these days. I've tried this "test" on
DJG> several
DJG> of our more well known CF sites and many of them failed.
DJG> Good morning:
DJG> I wanted to pass this one along from the webappsec list. CF 4 and 4.5 also
DJG> appear to be vulnerable to this- the workaround is ok. I'm battening down
DJG> the hatches this morning.
DJG> Kudos to Peter Grundl for finding this and letting us know.
DJG> -Sean
DJG> ----- Original Message -----
DJG> From: "Peter Gr�ndl" <[EMAIL PROTECTED]>
DJG> To: "bugtraq" <[EMAIL PROTECTED]>
DJG> Sent: Thursday, April 18, 2002 8:01 AM
DJG> Subject: KPMG-2002013: Coldfusion Path Disclosure
>> --------------------------------------------------------------------
>>
>> Title: Coldfusion Path Disclosure
>>
>> BUG-ID: 2002013
>> Released: 18th Apr 2002
>> --------------------------------------------------------------------
>>
>> Problem:
>> ========
>> Requests for certain DOS-devices are parsed by the isapi filter that
>> handles .cfm and .dbm and result in error messages containing the
>> physical path to the web root.
>>
>>
>> Vulnerable:
>> ===========
>> - Coldfusion 5.0 on Windows 2000 w. IIS5
>> - Other versions were not tested.
>>
>>
>> Details:
>> ========
>> Requests for non-existant .cfm and .dbm files return a coldfusion
>> "Object Not Found" error message similar to this:
>>
>> "Error Occurred While Processing Request
>> Error Diagnostic Information
>> An error has occurred.
>>
>>
>> HTTP/1.0 404 Object Not Found"
>>
>>
>> Requesting a DOS-device, such as nul.dbm or nul.cfm returns:
>>
>> "Error Occurred While Processing Request
>> Error Diagnostic Information
>> Cannot open CFML file
>>
>>
>> The requested file "C:\data\nul.dbm" cannot be found.
>>
>>
>> The specific sequence of files included or processed is:
>> C:\data\nul.dbm
>>
>>
>> Date/Time: 04/18/02 11:32:16
>> Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)
>> Remote Address: xxx.xxx.xxx.xxx"
>>
>>
>> A similar result can be achieved with this request:
>>
>> /nul..dbm
>>
>> which returns:
>>
>> "Error Occurred While Processing Request
>> Error Diagnostic Information
>> The template specification, 'C:\data\nul..dbm', is illegal.
>>
>> Template specifications cannot include '..' nor begin with a backslash
>> ('\\')."
>>
>>
>> Vendor URL:
>> ===========
>> You can visit the vendors webpage here: http://www.coldfusion.com
>>
>>
>> Vendor response:
>> ================
>> The vendor was contacted on the 26th of November, 2001. The vendor
>> suggested a workaround for the problem on the 8th of January, 2002.
>> This advisory was delayed was due to a lapse of communication.
>>
>>
>> Corrective action:
>> ==================
>> The vendor suggests turning on "Check that file exists":
>>
>> Windows 2000:
>> 1. Open the Management console
>> 2. Click on "Internet Information Services"
>> 3. Right-click on the website and select "Properties"
>> 4. Select "Home Directory"
>> 5. Click on "Configuration"
>> 6. Select ".cfm"
>> 7. Click on "Edit"
>> 8. Make sure "Check that file exists" is checked
>> 9. Do the same for ".dbm"
>>
>>
>> Author: Peter Gr�ndl ([EMAIL PROTECTED])
>>
>> --------------------------------------------------------------------
>> KPMG is not responsible for the misuse of the information we provide
>> through our security advisories. These advisories are a service to
>> the professional security community. In no event shall KPMG be lia-
>> ble for any consequences whatsoever arising out of or in connection
>> with the use or spread of this information.
>> --------------------------------------------------------------------
>>
DJG> <!---
DJG> Jason Dowdell
DJG> [EMAIL PROTECTED]
DJG> 321.799.6845
DJG> IM AES - Web Developer
DJG> --->
DJG>
______________________________________________________________________
Signup for the Fusion Authority news alert and keep up with the latest news in
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
