--------------------------------------------------------------------

Title: Coldfusion Path Disclosure

BUG-ID: 2002013
Released: 18th Apr 2002
--------------------------------------------------------------------

Problem:
========
Requests for certain DOS-devices are parsed by the isapi filter that
handles .cfm and .dbm and result in error messages containing the
physical path to the web root.


Vulnerable:
===========
- Coldfusion 5.0 on Windows 2000 w. IIS5
- Other versions were not tested.


Details:
========
Requests for non-existant .cfm and .dbm files return a coldfusion
"Object Not Found" error message similar to this:

"Error Occurred While Processing Request
 Error Diagnostic Information
 An error has occurred.


 HTTP/1.0 404 Object Not Found"


Requesting a DOS-device, such as nul.dbm or nul.cfm returns:

"Error Occurred While Processing Request
 Error Diagnostic Information
 Cannot open CFML file


 The requested file "C:\data\nul.dbm" cannot be found.


 The specific sequence of files included or processed is:
 C:\data\nul.dbm


 Date/Time: 04/18/02 11:32:16
 Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)
 Remote Address: xxx.xxx.xxx.xxx"


A similar result can be achieved with this request:

/nul..dbm

which returns:

"Error Occurred While Processing Request
 Error Diagnostic Information
 The template specification, 'C:\data\nul..dbm', is illegal.

 Template specifications cannot include '..' nor begin with a backslash
('\\')."


Vendor URL:
===========
You can visit the vendors webpage here: http://www.coldfusion.com


Vendor response:
================
The vendor was contacted on the 26th of November, 2001. The vendor
suggested a workaround for the problem on the 8th of January, 2002.
This advisory was delayed was due to a lapse of communication.


Corrective action:
==================
The vendor suggests turning on "Check that file exists":

Windows 2000:
1. Open the Management console
2. Click on "Internet Information Services"
3. Right-click on the website and select "Properties"
4. Select "Home Directory"
5. Click on "Configuration"
6. Select ".cfm"
7. Click on "Edit"
8. Make sure "Check that file exists" is checked
9. Do the same for ".dbm"


Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------