Hi! > Problem: > ======== > Requests for certain DOS-devices are parsed by the isapi filter that > handles .cfm and .dbm and result in error messages containing the > physical path to the web root. > > > Vulnerable: > =========== > - Coldfusion 5.0 on Windows 2000 w. IIS5 > - Other versions were not tested.
ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 also appear to be vulnerable. Work around for IIS 4.0 appears to be identical to for IIS 5.0. I cannot determine any sort of fix for IIS 3.0. The one drawback of the work around is that if you go to any .cfm or .dbm file that does not exist, you get a standard 404 error from the webserver rather than the considerably prettier (not that that says much) 404 message that ColdFusion returns. I'd like to thank Peter Grundl (sorry about the umlaut but I can't figure out how to do it in my email client) and KPMG for finding this out for us. Have a great day! (Or night!) Christopher Ess System Administrator / CDTT (Certified Duct Tape Technician)
