Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Coldfusion Path Disclosure Vulnerability-Help Required
From: Maverick The Techie (seclists4maverickgmail.com)
Date: Fri Feb 25 2005 - 15:47:14 CST
A Few days ago when i was doing a routine scan of my brother's
website for finding out vulnerabilities, Nikto reported this
"nul..dbm - ColdFusion 5.0 and below, 4.0-5.0 reveal file system
paths of .cfm or .dbm files when the request contains invalid DOS
devices." and i checked Bugtraq Archives for more info on this and i
got the following info that
"Certain Requests for certain DOS-devices are parsed by the isapi
filter that handles .cfm and .dbm and result in error messages
containing the physical path to the web root."
and when i tried the above vulnerability and requested for a nul.dbm
file on the website, i got the following which indeed revealed the
path to the web root
Here is what i saw (changed the name of the site to protect private
The requested file "F:\webcorp\acme.com\nul.dbm" cannot be found.
The specific sequence of files included or processed is:
Bugtraq says that this is called an Input validation error and is
very critical and must be patched..
What i wanted to know know how this vulnerability can result in more
harm, i mean after exploiting it all i got to know is the path and
nothing else, now at this point how an attacker can really exploit
this vulnerability and gain access to the web site or deface it??
How is it possible for an attacker to compromise the server or
deface the site when only the physical path is known.
Any responses with exploit examples would be highly appreciated as
that would help me test the exploit and prove that this is indeed a
red alert sign and should be patched immediately.