KPMG-2002013: Coldfusion Path Disclosure
From: Peter Gründl (pgrundl@kpmg.dk)Date: 04/18/02
- Previous message: Dug Song: "Re: fragroute vs. snort: the tempest in a teacup"
- Next in thread: Chris Ess: "Re: KPMG-2002013: Coldfusion Path Disclosure"
- Reply: Chris Ess: "Re: KPMG-2002013: Coldfusion Path Disclosure"
- Reply: Tom Donovan: "Re: KPMG-2002013: Coldfusion Path Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Peter Gründl <pgrundl@kpmg.dk> To: "bugtraq" <bugtraq@securityfocus.com> Date: Thu, 18 Apr 2002 14:01:37 +0200
--------------------------------------------------------------------
Title: Coldfusion Path Disclosure
BUG-ID: 2002013
Released: 18th Apr 2002
--------------------------------------------------------------------
Problem:
========
Requests for certain DOS-devices are parsed by the isapi filter that
handles .cfm and .dbm and result in error messages containing the
physical path to the web root.
Vulnerable:
===========
- Coldfusion 5.0 on Windows 2000 w. IIS5
- Other versions were not tested.
Details:
========
Requests for non-existant .cfm and .dbm files return a coldfusion
"Object Not Found" error message similar to this:
"Error Occurred While Processing Request
Error Diagnostic Information
An error has occurred.
HTTP/1.0 404 Object Not Found"
Requesting a DOS-device, such as nul.dbm or nul.cfm returns:
"Error Occurred While Processing Request
Error Diagnostic Information
Cannot open CFML file
The requested file "C:\data\nul.dbm" cannot be found.
The specific sequence of files included or processed is:
C:\data\nul.dbm
Date/Time: 04/18/02 11:32:16
Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)
Remote Address: xxx.xxx.xxx.xxx"
A similar result can be achieved with this request:
/nul..dbm
which returns:
"Error Occurred While Processing Request
Error Diagnostic Information
The template specification, 'C:\data\nul..dbm', is illegal.
Template specifications cannot include '..' nor begin with a backslash
('\\')."
Vendor URL:
===========
You can visit the vendors webpage here: http://www.coldfusion.com
Vendor response:
================
The vendor was contacted on the 26th of November, 2001. The vendor
suggested a workaround for the problem on the 8th of January, 2002.
This advisory was delayed was due to a lapse of communication.
Corrective action:
==================
The vendor suggests turning on "Check that file exists":
Windows 2000:
1. Open the Management console
2. Click on "Internet Information Services"
3. Right-click on the website and select "Properties"
4. Select "Home Directory"
5. Click on "Configuration"
6. Select ".cfm"
7. Click on "Edit"
8. Make sure "Check that file exists" is checked
9. Do the same for ".dbm"
Author: Peter Gründl (pgrundl@kpmg.dk)
--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------
- Previous message: Dug Song: "Re: fragroute vs. snort: the tempest in a teacup"
- Next in thread: Chris Ess: "Re: KPMG-2002013: Coldfusion Path Disclosure"
- Reply: Chris Ess: "Re: KPMG-2002013: Coldfusion Path Disclosure"
- Reply: Tom Donovan: "Re: KPMG-2002013: Coldfusion Path Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
