Coldfusion Path Disclosure Vulnerability-Help Required

• Previous message: Anthony Ruso: "FW: PENTEST MySQL on windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 26 Feb 2005 03:17:14 +0530
To: pen-test@securityfocus.com

Respected Members,

A Few days ago when i was doing a routine scan of my brother's
website for finding out vulnerabilities, Nikto reported this
vulnerability
"nul..dbm - ColdFusion 5.0 and below, 4.0-5.0 reveal file system
paths of .cfm or .dbm files when the request contains invalid DOS
devices." and i checked Bugtraq Archives for more info on this and i
got the following info that

"Certain Requests for certain DOS-devices are parsed by the isapi
filter that handles .cfm and .dbm and result in error messages
containing the physical path to the web root."

and when i tried the above vulnerability and requested for a nul.dbm
file on the website, i got the following which indeed revealed the
path to the web root

Here is what i saw (changed the name of the site to protect private
info)

The requested file "F:\webcorp\acme.com\nul.dbm" cannot be found.

The specific sequence of files included or processed is:
F:\webcorp\acme.com\nul.dbm

Bugtraq says that this is called an Input validation error and is
very critical and must be patched..

What i wanted to know know how this vulnerability can result in more
harm, i mean after exploiting it all i got to know is the path and
nothing else, now at this point how an attacker can really exploit
this vulnerability and gain access to the web site or deface it??
in short

How is it possible for an attacker to compromise the server or
deface the site when only the physical path is known.

Any responses with exploit examples would be highly appreciated as
that would help me test the exploit and prove that this is indeed a
red alert sign and should be patched immediately.

Thanking you

Maverick_12210

• Previous message: Anthony Ruso: "FW: PENTEST MySQL on windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] Vulnerability Report for Windows SMB DoS ... cross-platform mechanism for client systems to request file services from ... In order to exploit the vulnerability a user account is needed for the ... is therefore vulnerable to a denial of service attack. ... Later in the processing of the request, at SRV.SYS+33209h another buffer ... (Securiteam) CORE-20020618: Vulnerabilities in Windows SMB (DoS) ... Denial of Service Vulnerabilities in Windows SMB implementation ... mechanism for client systems to request file services from server ... It might be possible to abuse this vulnerability to execute arbitrary ... Later in the processing of the request, at SRV.SYS+33209h another buffer ... (NT-Bugtraq) CORE-20020618: Vulnerabilities in Windows SMB (DoS) ... Denial of Service Vulnerabilities in Windows SMB implementation ... mechanism for client systems to request file services from server ... It might be possible to abuse this vulnerability to execute arbitrary ... Later in the processing of the request, at SRV.SYS+33209h another buffer ... (Bugtraq) Coldfusion Path Disclosure Vulnerability, Help Required ... paths of .cfm or .dbm files when the request contains invalid DOS ... and when i tried the above vulnerability and requested for a nul.dbm ... file on the website, i got the following which indeed revealed the ... (Security-Basics) SecurityFocus Microsoft Newsletter #101 ... MICROSOFT VULNERABILITY SUMMARY ... Tomahawk Technologies SteelArrow Cookie HTTP Header Buffer... ... MySQL Null Root Password Weak Default Configuration Vulnerability ... Microsoft Network Share Provider SMB Request Buffer Overflow... ... (Focus-Microsoft)