Chris, Another way to avoid the ugly 404's would be to implement your ColdFusion Applications using the Fusebox methodology. Of course, you could use other methods to code your app but Fusebox does a great job of this. All files are loaded directly (or indirectly) from an "index.cfm" file with fuseactions. The user never sees what the actual filenames are. The only file you ever see in a link is "index.cfm" with your fuses attached to the url which does all of the intelligent handling. Any time you receive a request for a specific file, even if it exists on the server (such as dsp_aboutme.cfm), the application is coded to return a user-created 404, or the user can be directed to a specific page. Fusebox will consider any file request that is not "index.cfm" as a bad request. Of course, you can change the file from "index.cfm" to anything you want. But basically, your 404 becomes your own fuse. It's a really nice way of working your way around this if you hold to the application structure that Fusebox lays out.
If you are interested in this, check out www.fusebox.org. I highly suggest it. Granted without some specifics from you, I do not know how well Fusebox will handle the DOS you suggested. You may want to give it a try. I hope I explained Fusebox well enough to stress how strong of a programming methodology it affords a developer. Also, Fusebox does not only apply to ColdFusion. There is a framework on the site for Active Server Pages as well. Good Luck! Bejon -----Original Message----- From: Chris Ess [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 1:58 PM To: Peter Grundl Cc: bugtraq Subject: Re: KPMG-2002013: Coldfusion Path Disclosure Hi! > Problem: > ======== > Requests for certain DOS-devices are parsed by the isapi filter that > handles .cfm and .dbm and result in error messages containing the > physical path to the web root. > > > Vulnerable: > =========== > - Coldfusion 5.0 on Windows 2000 w. IIS5 > - Other versions were not tested. ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 also appear to be vulnerable. Work around for IIS 4.0 appears to be identical to for IIS 5.0. I cannot determine any sort of fix for IIS 3.0. The one drawback of the work around is that if you go to any .cfm or .dbm file that does not exist, you get a standard 404 error from the webserver rather than the considerably prettier (not that that says much) 404 message that ColdFusion returns. I'd like to thank Peter Grundl (sorry about the umlaut but I can't figure out how to do it in my email client) and KPMG for finding this out for us. Have a great day! (Or night!) Christopher Ess System Administrator / CDTT (Certified Duct Tape Technician)