Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: cf11.htm

ColdFusion discover actual path of object



Vulnerability

    Cold Fusion

Affected

    Systems with Cold Fusion

Description

    Marcel van Waaijen  found following.   If you make  a http-request
    to  an  (existing)   application.cfm  of  onrequestend.cfm   page,
    ColdFusion generates  an errormessage  that reveals  the real path
    to that page on the server.

Solution

    1. You can disable the  ability to request application.cfm.   This
       can be done in the IIS MMC.   The easiest way to do this is  to
       force  a  redirection   to  an  index   file.  Right-click   on
       application.cfm in the MMC, and set up redirection.

    2. You can use the site-wide missing file handler in CF 4.5.  This
       will  send  a  custom  error  page  which  needn't say anything
       important at all.  This is set in the CF Administrator.

    This has been reported as bug 14982.  It was reported on  February
    4th, and today, March  1st, 2000, it is  reported as fixed.   This
    means it will probably be rolled int 4.5.1 RC2.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH