At work, I’m often times tasked with maintaining our legacy ColdFusion servers, and because I’m a systems admin, I have to be conscious of the security alerts our security team sends out. Here are some interesting Tips from my adventures.
File Not Found Error Revealing Dos Path in Browser (ColdFusion 4, 5)
This one was interesting. I didn’t realize the old ColdFusion servers would reveal this type of information. But if you went to your CF site, and looked for a NUL.dbm (ex: http://www.xxxxxx.com/nul.dbm), you would get an error message that revealed the DOS path to your server!
This type of information release is a big no-no for obvious security reasons, you never want to give your potential enemies any insight into what you have on the backend. So, I did find a fix for it at this web site: http://www.securiteam.com/windowsntfocus/5LP0C0K75M.html.
The reason why this is a problem, is NUL is a reserved name in DOS, so this passes through the standard web server 404 check. Essentially the fix for this is to enable the IIS Server to check for the existence of a CFM or DBM file, and the problem goes away.