Home page logo

bugtraq logo Bugtraq mailing list archives

ColdFusion Bug: Application.cfm shows full path
From: m.van.waaijen () INTERVIEW-NSS COM (vwaaijen)
Date: Sun, 5 Mar 2000 14:06:05 +0100


Some days ago I posted the following concern about ColdFusions

"If you make a http-request to an (existing) application.cfm of
onrequestend.cfm page, ColdFusion generates an errormessage that reveals the
real path to that page on the server."

I received a lot of response on this bug and amongst them I received the
following solutions for this bug:


1. You can disable the ability to request application.cfm. This can be
done in the IIS MMC. The easiest way to do this is to force a redirection to
an index file. Right-click on application.cfm in the MMC, and set up

2. You can use the site-wide missing file handler in CF 4.5. This will
send a custom error page which needn't say anything important at all. This
is set in the CF Administrator.

These solutions were provided to me by Dave Watts, CTO, Fig Leaf Software.


Damon Cooper from Allaire wrote the following:

"Allaire is aware of the issue and it is fixed as of the 4.5.1 release."


"I believe registered users of 4.x will be able to download the update when
it's made available.  I believe we're targeting a late March/early April

Amy Wong from Allaire wrote:

"This has been reported as bug 14982.  It was reported on February 4th, and
today, March 1st, 2000, it is reported as fixed.  This means it will
probably be rolled int 4.5.1 RC2."


Amy Wong, Electronic Technical Support
Allaire Corporation


This bug is also archived by security focus at

Kind regards,
Marcel van Waaijen.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]