26th Sep 2002 [SBWID-5287]
COMMAND
	Coldfusion path disclosure
SYSTEMS AFFECTED
	 Coldfusion 5.0 on Windows 2000 w. IIS5
	 ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 
PROBLEM
	In  KPMG  security  advisory  KPMG-2002013  [http://www.kpmg.dk],  Peter
	Gründl says :
	 Problem
	 =======
	Requests for certain DOS-devices are parsed by  the  isapi  filter  that
	handles .cfm and .dbm  and  result  in  error  messages  containing  the
	physical path to the web root.
	 Details
	 =======
	Requests for non-existant  .cfm  and  .dbm  files  return  a  coldfusion
	"Object Not Found" error message similar to this:
	
	"Error Occurred While Processing Request
	 Error Diagnostic Information
	 An error has occurred.
	 HTTP/1.0 404 Object Not Found"
	
	Requesting a DOS-device, such as nul.dbm or nul.cfm returns:
	
	"Error Occurred While Processing Request
	 Error Diagnostic Information
	 Cannot open CFML file
	 The requested file "C:\data\nul.dbm" cannot be found.
	 The specific sequence of files included or processed is:
	 C:\data\nul.dbm
	 Date/Time: 04/18/02 11:32:16
	 Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)
	 Remote Address: xxx.xxx.xxx.xxx"
	
	A similar result can be achieved with this request:
	
	/nul..dbm
	
	which returns:
	
	"Error Occurred While Processing Request
	 Error Diagnostic Information
	 The template specification, 'C:\data\nul..dbm', is illegal.
	 Template specifications cannot include '..' nor begin with a backslash
	('\\')."
	
SOLUTION
	 Corrective action
	 =================
	The vendor suggests turning on "Check that file exists":
	Windows 2000:
	
	1. Open the Management console
	2. Click on "Internet Information Services"
	3. Right-click on the website and select "Properties"
	 Update by Christopher Ess
	 =========================
	Work around for IIS 4.0 appears to be identical to for IIS 5.0.  I cannot
	determine any sort of fix for IIS 3.0.
	The one drawback of the work around is that if you go to any .cfm or .dbm
	file that does not exist, you get a standard 404 error from the webserver
	rather than the considerably prettier (not that that says much) 404
	message that ColdFusion returns.
	4. Select "Home Directory"
	5. Click on "Configuration"
	6. Select ".cfm"
	7. Click on "Edit"
	8. Make sure "Check that file exists" is checked
	9. Do the same for ".dbm"