[NT] ColdFusion Allows for Path Disclosure (DOS Devices)
From: support@securiteam.comDate: 04/18/02
- Previous message: support@securiteam.com: "[NT] SQL Extended Procedure Functions Contain Unchecked Buffers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 18 Apr 2002 21:17:19 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
ColdFusion Allows for Path Disclosure (DOS Devices)
------------------------------------------------------------------------
SUMMARY
Certain requests containing DOS-devices are parsed by the ISAPI filter
that handles .cfm and .dbm and as a result will display an error message
containing the true physical path to the web root.
DETAILS
Vulnerable systems:
- ColdFusion 5.0 under Windows 2000 with IIS5
Requests for non-existent .cfm and .dbm files return a ColdFusion "Object
Not Found" error message similar to this:
"Error Occurred While Processing Request
Error Diagnostic Information
An error has occurred.
HTTP/1.0 404 Object Not Found"
Requesting a DOS-device, such as nul.dbm or nul.cfm returns:
"Error Occurred While Processing Request
Error Diagnostic Information
Cannot open CFML file
The requested file "C:\data\nul.dbm" cannot be found.
The specific sequence of files included or processed is:
C:\data\nul.dbm
Date/Time: 04/18/02 11:32:16
Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)
Remote Address: xxx.xxx.xxx.xxx"
A similar result can be achieved with this request:
/nul..dbm
That returns:
"Error Occurred While Processing Request
Error Diagnostic Information
The template specification, 'C:\data\nul..dbm', is illegal.
Template specifications cannot include '..' nor begin with a backslash
('\\')."
Vendor response:
The vendor was contacted on the 26th of November, 2001. The vendor
suggested a workaround for the problem on the 8th of January, 2002. This
advisory was delayed was due to a lapse of communication.
Corrective action:
The vendor suggests turning on "Check that file exists". To do so follow
the following steps:
Windows 2000:
1. Open the Management console
2. Click on "Internet Information Services"
3. Right-click on the website and select "Properties"
4. Select "Home Directory"
5. Click on "Configuration"
6. Select ".cfm"
7. Click on "Edit"
8. Make sure "Check that file exists" is checked
9. Do the same for ".dbm"
ADDITIONAL INFORMATION
The information has been provided by <mailto:pgrundl@kpmg.dk> Peter
Gründl.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] SQL Extended Procedure Functions Contain Unchecked Buffers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
