Coldfusion Path Disclosure Vulnerability-Help Required

From: Maverick The Techie (seclists4maverick@gmail.com)
Date: Fri Feb 25 2005 - 16:47:14 EST


Respected Members,

A Few days ago when i was doing a routine scan of my brother's
website for finding out vulnerabilities, Nikto reported this
vulnerability
"nul..dbm - ColdFusion 5.0 and below, 4.0-5.0 reveal file system
paths of .cfm or .dbm files when the request contains invalid DOS
devices." and i checked Bugtraq Archives for more info on this and i
got the following info that

"Certain Requests for certain DOS-devices are parsed by the isapi
filter that handles .cfm and .dbm and result in error messages
containing the physical path to the web root."

and when i tried the above vulnerability and requested for a nul.dbm
file on the website, i got the following which indeed revealed the
path to the web root

Here is what i saw (changed the name of the site to protect private
info)

The requested file "F:\webcorp\acme.com\nul.dbm" cannot be found.

The specific sequence of files included or processed is:
F:\webcorp\acme.com\nul.dbm

Bugtraq says that this is called an Input validation error and is
very critical and must be patched..

What i wanted to know know how this vulnerability can result in more
harm, i mean after exploiting it all i got to know is the path and
nothing else, now at this point how an attacker can really exploit
this vulnerability and gain access to the web site or deface it??
in short

How is it possible for an attacker to compromise the server or
deface the site when only the physical path is known.

Any responses with exploit examples would be highly appreciated as
that would help me test the exploit and prove that this is indeed a
red alert sign and should be patched immediately.

Thanking you

Maverick_12210



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:17 EDT