Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1999-q3

NTBugtraq And NTSecurity Archives: Change of behavior for IIS i

Change of behavior for IIS in SP6?

Zachary Bedell (AramisWHITEFACE.ADIRONDACK.NET)
Mon, 1 Nov 1999 11:29:32 -0500

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: MIS Department - CI Holding Group, Inc.: "Fwd: RFP9906 - RFPoison (fwd)"
Previous message: Eric Gisin: "SCSI port device is backdoor to disk access"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have a ColdFusion 4.0.1 server that was just upgraded from SP4 to
SP6, and there seems to be a change in the behavior for ColdFusion
execution under IIS.

ColdFusion files are set to run as executables on the server, not as
scripts (Script Engine is unchecked in the Application Settings for
.cfm files in MMC). That setting allowed a URL of the following
format to work:
www.server.com/dir/download.cfm/actualfilename.ext?id=blah&param2=blah
etc=etc <--- Note that download.cfm would execute, not
actualfilename.ext.

That way, a file could be 'hidden' behind a CF page, requiring some
sort of authentication. When the payload file was dispensed, the CF
page grabbed the file from outside of the webroot using CFFILE. The
MIME headers were set to reflect the file type, and the
'actualfilename.ext' section of the URL tricked both IE & Netscape
into defaulting to the actual filename instead of 'download.cfm.'
The file download.cfm ran with that URL, and everything was fine
under SP4.

After upgrading to SP6, that URL now returns a 404 error, as it seems
the webserver is trying to return a page named
/dir/download.cfm/actualfilename.ext instead of actually running
download.cfm.

It seems that either: 1) IIS is ignoring the setting for 'Script
Engine' in the MMC and running CF as a script instead of an
executable, or 2) the behavior of IIS's URL parsing has changed
somehow & the Script Engine setting no longer effects it.

Has anyone else noticed this behavior in either SP5 or SP6? I could
provide a code snippet that would test for the change if anyone is
interested. While this seems like a little change, as far as I know,
that URL format was the only way to reliably fake out the filename
that browsers would display. If anyone knows of an alternate way of
accomplishing that goal, a private email w/ a quick explanation would
be a REAL lifesaver right about now...

I'm not sure if or to whom I should forward this message within
Allaire or MS. Any advice as to who 'the right person' is would be
appreciate.

Regards,
Zac Bedell

========================================
Zachary S. Bedell,
Server Administrator,
Adirondack Technologies, Inc.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>

iQA/AwUBOB2/WgraVoMWBwRBEQLLeACgtpx+TQ2c5ZoFg6Emv2YLdOwZG/kAoLhZ
Ig9YbebYkVPrxTLxRjGY2TIN
=WU1S
-----END PGP SIGNATURE-----

Next message: MIS Department - CI Holding Group, Inc.: "Fwd: RFP9906 - RFPoison (fwd)"
Previous message: Eric Gisin: "SCSI port device is backdoor to disk access"

This archive was generated by hypermail 2.0b3 on Mon Nov 01 1999 - 13:04:49 CST