Hi, Just tested with CF 4.5 & 5.0 Enterprise on NT4 using Apache. It is not vulnerable. You receive a 403 - Forbidden when you try to access nul/con.cfm/dbm with no path disclosure. Sincerely, Mike Fetherston. > > Problem: > > ======== > > Requests for certain DOS-devices are parsed by the isapi filter that > > handles .cfm and .dbm and result in error messages containing the > > physical path to the web root. > > > > > > Vulnerable: > > =========== > > - Coldfusion 5.0 on Windows 2000 w. IIS5 > > - Other versions were not tested. > > ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 also appear > to be vulnerable. > > Work around for IIS 4.0 appears to be identical to for IIS 5.0. I cannot > determine any sort of fix for IIS 3.0. > > The one drawback of the work around is that if you go to any .cfm or .dbm > file that does not exist, you get a standard 404 error from the webserver > rather than the considerably prettier (not that that says much) 404 > message that ColdFusion returns. > > I'd like to thank Peter Grundl (sorry about the umlaut but I can't figure > out how to do it in my email client) and KPMG for finding this out for us. > > Have a great day! (Or night!) > > > Christopher Ess > System Administrator / CDTT (Certified Duct Tape Technician) > > >
This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 14:12:46 PDT