RE: KPMG-2002013: ColdFusion Path Disclosure

["Bejon Parsinia" <bejon () supertel com>]

Chris,

Another way to avoid the ugly 404's would be to implement your ColdFusion
Applications using the Fusebox methodology.  Of course, you could use other
methods to code your app but Fusebox does a great job of this.  All files
are loaded directly (or indirectly) from an "index.cfm" file with
fuseactions.  The user never sees what the actual filenames are.  The only
file you ever see in a link is "index.cfm" with your fuses attached to the
url which does all of the intelligent handling.  Any time you receive a
request for a specific file, even if it exists on the server (such as
dsp_aboutme.cfm), the application is coded to return a user-created 404, or
the user can be directed to a specific page.  Fusebox will consider any file
request that is not "index.cfm" as a bad request.  Of course, you can change
the file from "index.cfm" to anything you want.  But basically, your 404
becomes your own fuse.  It's a really nice way of working your way around
this if you hold to the application structure that Fusebox lays out.

If you are interested in this, check out www.fusebox.org.  I highly suggest
it.

Granted without some specifics from you, I do not know how well Fusebox will
handle the DOS you suggested.  You may want to give it a try.  I hope I
explained Fusebox well enough to stress how strong of a programming
methodology it affords a developer.  Also, Fusebox does not only apply to
ColdFusion.  There is a framework on the site for Active Server Pages as
well.

Good Luck!

Bejon

-----Original Message-----
From: Chris Ess [mailto:azarin () tokimi net]
Sent: Thursday, April 18, 2002 1:58 PM
To: Peter Grundl
Cc: bugtraq
Subject: Re: KPMG-2002013: Coldfusion Path Disclosure


Hi!

> Problem:
> ========
> Requests for certain DOS-devices are parsed by the isapi filter that
> handles .cfm and .dbm and result in error messages containing the
> physical path to the web root.
>
>
> Vulnerable:
> ===========
> - Coldfusion 5.0 on Windows 2000 w. IIS5
> - Other versions were not tested.

ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 also appear
to be vulnerable.

Work around for IIS 4.0 appears to be identical to for IIS 5.0.  I cannot
determine any sort of fix for IIS 3.0.

The one drawback of the work around is that if you go to any .cfm or .dbm
file that does not exist, you get a standard 404 error from the webserver
rather than the considerably prettier (not that that says much) 404
message that ColdFusion returns.

I'd like to thank Peter Grundl (sorry about the umlaut but I can't figure
out how to do it in my email client) and KPMG for finding this out for us.

Have a great day!  (Or night!)


Christopher Ess
System Administrator / CDTT (Certified Duct Tape Technician)