From pgrundl@kpmg.dk Thu Apr 18 15:22:16 2002 From: "[iso-8859-1] Peter Gründl" To: vulnwatch Date: Thu, 18 Apr 2002 14:04:26 +0200 Subject: [VulnWatch] KPMG-2002013: Coldfusion Path Disclosure [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -------------------------------------------------------------------- Title: Coldfusion Path Disclosure BUG-ID: 2002013 Released: 18th Apr 2002 -------------------------------------------------------------------- Problem: ======== Requests for certain DOS-devices are parsed by the isapi filter that handles .cfm and .dbm and result in error messages containing the physical path to the web root. Vulnerable: =========== - Coldfusion 5.0 on Windows 2000 w. IIS5 - Other versions were not tested. Details: ======== Requests for non-existant .cfm and .dbm files return a coldfusion "Object Not Found" error message similar to this: "Error Occurred While Processing Request Error Diagnostic Information An error has occurred. HTTP/1.0 404 Object Not Found" Requesting a DOS-device, such as nul.dbm or nul.cfm returns: "Error Occurred While Processing Request Error Diagnostic Information Cannot open CFML file The requested file "C:\data\nul.dbm" cannot be found. The specific sequence of files included or processed is: C:\data\nul.dbm Date/Time: 04/18/02 11:32:16 Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) Remote Address: xxx.xxx.xxx.xxx" A similar result can be achieved with this request: /nul..dbm which returns: "Error Occurred While Processing Request Error Diagnostic Information The template specification, 'C:\data\nul..dbm', is illegal. Template specifications cannot include '..' nor begin with a backslash ('\\')." Vendor URL: =========== You can visit the vendors webpage here: http://www.coldfusion.com Vendor response: ================ The vendor was contacted on the 26th of November, 2001. The vendor suggested a workaround for the problem on the 8th of January, 2002. This advisory was delayed was due to a lapse of communication. Corrective action: ================== The vendor suggests turning on "Check that file exists": Windows 2000: 1. Open the Management console 2. Click on "Internet Information Services" 3. Right-click on the website and select "Properties" 4. Select "Home Directory" 5. Click on "Configuration" 6. Select ".cfm" 7. Click on "Edit" 8. Make sure "Check that file exists" is checked 9. Do the same for ".dbm" Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. -------------------------------------------------------------------- From azarin@tokimi.net Sun Apr 21 04:16:34 2002 From: Chris Ess To: "[iso-8859-1] Peter Gründl" Cc: bugtraq Date: Thu, 18 Apr 2002 16:58:20 -0400 (EDT) Subject: Re: KPMG-2002013: Coldfusion Path Disclosure Hi! > Problem: > ======== > Requests for certain DOS-devices are parsed by the isapi filter that > handles .cfm and .dbm and result in error messages containing the > physical path to the web root. > > > Vulnerable: > =========== > - Coldfusion 5.0 on Windows 2000 w. IIS5 > - Other versions were not tested. ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 also appear to be vulnerable. Work around for IIS 4.0 appears to be identical to for IIS 5.0. I cannot determine any sort of fix for IIS 3.0. The one drawback of the work around is that if you go to any .cfm or .dbm file that does not exist, you get a standard 404 error from the webserver rather than the considerably prettier (not that that says much) 404 message that ColdFusion returns. I'd like to thank Peter Grundl (sorry about the umlaut but I can't figure out how to do it in my email client) and KPMG for finding this out for us. Have a great day! (Or night!) Christopher Ess System Administrator / CDTT (Certified Duct Tape Technician)