ColdFusion Bug: Application.cfm shows full path

[m.van.waaijen () INTERVIEW-NSS COM (vwaaijen)]

Hello,

Some days ago I posted the following concern about ColdFusions
Application.cfm:

"If you make a http-request to an (existing) application.cfm of
onrequestend.cfm page, ColdFusion generates an errormessage that reveals the
real path to that page on the server."

I received a lot of response on this bug and amongst them I received the
following solutions for this bug:

-----------------------

1. You can disable the ability to request application.cfm. This can be
done in the IIS MMC. The easiest way to do this is to force a redirection to
an index file. Right-click on application.cfm in the MMC, and set up
redirection.

2. You can use the site-wide missing file handler in CF 4.5. This will
send a custom error page which needn't say anything important at all. This
is set in the CF Administrator.

These solutions were provided to me by Dave Watts, CTO, Fig Leaf Software.

--------------------------

Damon Cooper from Allaire wrote the following:

"Allaire is aware of the issue and it is fixed as of the 4.5.1 release."

....

"I believe registered users of 4.x will be able to download the update when
it's made available.  I believe we're targeting a late March/early April
release."

--------------------------
Amy Wong from Allaire wrote:

"This has been reported as bug 14982.  It was reported on February 4th, and
today, March 1st, 2000, it is reported as fixed.  This means it will
probably be rolled int 4.5.1 RC2."

Amy

Amy Wong, Electronic Technical Support
Allaire Corporation

-----------------------------------

This bug is also archived by security focus at
http://www.securityfocus.com/bid/1021

Kind regards,
Marcel van Waaijen.