Vulnerabilities > CVE-2002-0576 - Unspecified vulnerability in Allaire Coldfusion Server 4.0/4.5/5.0

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
allaire
nessus
NVD
Published: 2002-06-18
Updated: 2024-11-20

Summary

ColdFusion 5.0 and earlier on Windows systems allows remote attackers to determine the absolute pathname of .cfm or .dbm files via an HTTP request that contains an MS-DOS device name such as NUL, which leaks the pathname in an error message.

Vulnerable Configurations

Part Description Count
Application
Allaire
3

Nessus

NASL familyCGI abuses
NASL idCOLDFUSION_PATH_DISCLOSURE.NASL
descriptionIt was possible to make the remote web server disclose the physical path to its web root by requesting a MS-DOS device ending in .dbm (as in nul.dbm).
last seen2020-06-01
modified2020-06-02
plugin id11393
published2003-03-15
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11393
titleColdFusion on IIS cfm/dbm Diagnostic Error Path Disclosure
code
#
# (C) Tenable Network Security, Inc.
#

#
# This script was written by Renaud Deraison <[email protected]>
# Modified by Paul Johnston for Westpoint Ltd to display the web root
#

include("compat.inc");

if(description)
{
 script_id(11393);
 script_version ("1.26");
 script_cvs_date("Date: 2018/06/13 18:56:26");

 script_cve_id("CVE-2002-0576");
 script_bugtraq_id(4542);

 script_name(english:"ColdFusion on IIS cfm/dbm Diagnostic Error Path Disclosure");
 script_summary(english:"Checks for a ColdFusion vulnerability");

 script_set_attribute(attribute:"synopsis", value:
"An application running on the remote web server is affected by a path
disclosure vulnerability." );
 script_set_attribute(attribute:"description", value:
"It was possible to make the remote web server disclose the physical
path to its web root by requesting a MS-DOS device ending in .dbm (as
in nul.dbm)." );
 # https://web.archive.org/web/20041206154712/http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0028.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3991a459" );
 script_set_attribute(attribute:"solution", value:
"The vendor suggests turning on 'Check that file exists' :

   Windows 2000:
   1. Open the Management console
   2. Click on 'Internet Information Services'
   3. Right-click on the website and select 'Properties'
   4. Select 'Home Directory'
   5. Click on 'Configuration'
   6. Select '.cfm'
   7. Click on 'Edit'
   8. Make sure 'Check that file exists' is checked
   9. Do the same for '.dbm'" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/04/18");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/15");

 script_set_attribute(attribute:"cpe",value:"cpe:/a:allaire:coldfusion_server");
 script_set_attribute(attribute:"plugin_type", value:"remote");

 script_end_attributes();

 script_category(ACT_ATTACK);

 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");

 script_dependencie("iis_detailed_error.nasl", "404_path_disclosure.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if (get_kb_item("www/"+port+"/iis_detailed_errors"))  exit(0, "The web server listening on port "+port+" appears to be an instance of IIS that returns detailed error messages.");
if (get_kb_item("www/"+port+"/generic_path_disclosure"))  exit(0, "The web server listening on port "+port+" is known to be affected by a generic path disclosure vulnerability.");

url = "/nul.dbm";

res = test_generic_path_disclosure(item: url, 
                                   method: "GET", 
                                   port: port, 
                                   path_type: "windows",
                                   filename: "nul.dbm", 
                                   exit_on_fail: TRUE);
 
if (!res) exit(0, "The web server listening on port "+port+" is not affected.");

References